More  CISOs  are 
embracing  new 
career  paths  witt 
the  industry  28 


o 

o 

cr> 

E 

o 


TECH:  Small  Companies  Face  Big  Hurdles 
When  Managing  Mobile  Devices  6 

RISK:  To  Reduce  Risk,  Lower  Hackers’  ROI  14 

LEAD:  How  to  Educate  Employees 
About  the  Insider  Threat  20 


ADVERTORIAL 


It's  Time  to  Take  a  Fresh 
Look  at  Security  Automation 


Market  a 
Pulse 


TO  KEEP  UP  WITH  AN  UNRELENTING  BARRAGE  OF  SECURITY 
ATTACKS,  ORGANIZATIONS  NEED  TO  ADOPT  AUTOMATION 
TECHNOLOGIES  THAT  HELP  THEM  RESPOND  TO  THREATS  MORE 
QUICKLY— AND  REDUCE  RISK  AND  COST  IN  THE  PROCESS. 


A  new  survey  of  CIOs  and  ClSOs  from  IDG  Research 
paints  a  clear  picture  of  corporate  security  threats  and 
how  automation  can  help.  The  vast  majority  of  respon¬ 
dents  to  the  survey,  conducted  in  December  2013  and 
January  2014,  report  that  neither  the  number  nor  severity 
of  security  breaches  is  going  down.  What's  more,  detecting 
attacks  often  takes  an  alarmingly  long  time— 46%  of 
respondents  report  an  average  detection  time  of  hours 
or  days.  Resolution  once  an  attack  has  been  identified 
takes  even  longer,  with  54%  reporting  average  resolution 
times  of  days,  weeks  or  months. 

CIOs  and  ClSOs  understand  these  issues  and  are 
taking  action: 

■  Reducing  response  times  is  a  priority  for  61%. 

■  Automating  security  workflows  is  a  favored 
solution:  82%  are  either  very  comfortable  or 
somewhat  comfortable  with  it. 

■  Security  workflow  automation  is  gaining  momentum: 
63%  will  automate  more  in  the  coming  year. 

Respondents  recognize  the  great  strides  that  security 
automation  has  taken  over  the  years,  and  companies 


I 


Work  to  be  Done:  Percent  of  Security 
Workflows  Currently  Automated 


0%  1-10%  11-20%  21-30%  31-40%  41-50%  >50% 

%  of  automation 


should  take  a  fresh  look  at  the  benefits  it  can  bring, 
whereas  companies  once  were  uneasy  about  automation 
for  fear  of  inadvertently  denying  access  to  legitimate  users, 
today  such  technology  can  be  effective  on  an  enter¬ 
prise  scale.  Additionally,  automation  brings  cost  benefits 
including  making  better  use  of  scarce  resources  such  as 
security  experts'  time  and  minimizing  the  financial  impacts 
of  data  loss  and  damage  to  the  corporate  brand. 

CSG  Invotas  is  one  company  taking  a  new  approach 
to  security  automation,  focusing  on  the  orchestration  of 
security  responses  required  to  resolve  a  security  issue 
quickly  and  accurately. 

CSG  Invotas  Security  Orchestrator  enables  customers 
to  automate  as  few  or  as  many  security  tasks  as  they  like, 
depending  on  their  requirements  and  level  of  comfort. 
Some  may  opt  for  a  fully  automated  response  where,  for 
example,  a  firewall  event  triggers  an  intrusion  detection/ 
intrusion  prevention  system  (IDS/IPS)  to  block  a  given  port 
for  a  certain  IP  address,  and  then  sends  a  trouble  ticket 
to  alert  security  personnel  of  the  incident.  Others  may 
want  more  human  engagement,  where  the  same  series  of 
events  is  triggered  only  after  a  security  professional  gives 
the  green  light.  Still  others  may  want  to  be  presented  with 
a  series  of  options  in  terms  of  what  actions  they  might  take 
in  the  face  of  a  specific  security  incident.  With  CSG  Invotas, 
any  mix  of  the  above  is  possible,  with  responses  varying 
depending  on  the  type  of  incident  in  question.  And  it  all 
works  on  an  enterprise  scale.  ■ 


To  read  more  about  the  IDG  Research  survey  and  how 
security  automation  can  help  companies  mount  a  stronger 
defense  against  the  persistent  threats  to  today's  corporate 
environments,  download  the  MarketPulse  white  paper 

www.csoonline.com/whitepapers/csginvotas 


cso 

Custom  Solutions  Group 


CSg 

INVOTAS 


SOURCE:  IDG  RESEARCH  SERVICES,  FEBRUARY  2014 


ACCELERATE  YOUR  SECURITY 


Cover  photo  by  Roger  Ball 


May  2014  Volume  13,  Number  4 


28  MoreCISOs 
are  embracing  new 
career  paths  within 
the  industry 

BY  GEORGE  V.  HULME 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 


tech 

6  Small  Companies  Face  Big  Hurdles 
When  Managing  Mobile  Devices 

9  Researchers  Hack  Galaxy  S5  Fingerprint  Login 

10  When  Ransomware  Strikes  Close  to  Home, 
Researchers  Dissect  Scammers’  Faulty  Code 

12  Most  Companies  Face  SQL  Injection  Attacks, 
But  Few  Are  Doing  Much  to  Protect  Themselves 

risk 

14  To  Reduce  Risk,  Lower  Hackers’  ROI 

16  Malware  in  Pirated  Software  Costs  Us  Billions 

17  Like  Everything  Else,  Managing  Risks  Gets 
More  Complex  as  Companies  Get  Bigger 

18  The  Risk  of  Offshoring  Security 

lead 

20  How  to  Educate  Employees 
About  the  Insider  Threat 

22  When  Measuring  Security  Culture, 

Make  Sure  You’re  Using  the  Right  Metrics 

26  Security  Administrators  Turn  Into  Analysts 

last 

32  Spring  Cleaning 


May  2014  www.c8oonline.com  1 


Is  Your  Career  Due  for  a  Shakeup? 

How  much  has  your  role  as  a  CSO  or  CISO  changed  since 
you  started  your  career?  Are  your  responsibilities  different?  Are 
you  working  with  different  subsets  of  people  or  dealing  with  an 
updated  reporting  structure? 


The  role  and  priority  level  of  security  and 
risk  within  an  organization  have  changed  and 
evolved  in  the  last  decade,  and  so  too  have 
the  career  paths  of  the  folks  who  have  been 
charged  with  heading  security  programs.  Many 
professionals  who  have  been  in  the  CSO  or  CISO 
role  for  many  years  are  deciding  it  is  time  for  a 
change-whether  that’s  a  change  of  scenery 
with  a  new  employer  or  a  complete  over¬ 
haul  in  challenges  by  changing  environments 
completely. 

In  this  month’s  cover  story,  CSO  contribu¬ 
tor  George  V.  Hulme  speaks  to  CSOs  who  have 
made  a  leap  of  faith  in  their  security  career  and 
have  gone  to  very  different  jobs  in  an  effort  to 
shake  up  their  professional  portfolio  and  find 
new  ways  to  invigorate  their  work  path. 

The  CSOs  featured  are  taking  chances  that 
offer  big  rewards  but  also  come  with  significant 
risk.  Going  from  a  traditional  enterprise  security 
program  to  working  for  a  vendor,  for  example, 
can  require  a  big  switch  in  responsibilities  and 
even  mind-set.  But  Eric  Cowperthwaite,  who 
went  from  being  CISO  at  a  large  healthcare 
organization  to  working  for  a  security  products 
vendor,  says  the  move  for  him  was  not  so  much 


about  going  from  enterprise  to  vendor,  but 
about  going  to  what  he  called  “a  very  innova¬ 
tive  set  of  intellectual  property  that  can  help 
drive  organizations  to  a  more  secure  place." 

Where  is  your  career  path  headed?  Are  you 
considering  making  a  leap  from  your  traditional 
path  to  try  on  a  new  role  with  a  different  kind 
of  organization?  Contact  me  and  tell  CSO  about 
your  experience! 

-Joan  Goodchild,  Executive  Editor 
jgoodchild@cxo.  com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc..  492  Old  Connecticut  Path,  P.0.  Box 
9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701.  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
190207S.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  PO.  Box  1632.  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center.  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyright.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  f.  Address  Inquiries  to  CSO.  P.0.  Box  3482.  Northbrook.  IL  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.0.  Box  3482,  Northbrook.  IL  60065.  Printed  in  the  USA. 


Editor 

Joan  Goodchild 
jgoodchildlSicxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor 

Grant  Hatchimonji 
ghatchimonji@cxo.com 

Staff  Writer 

Steve  Ragan 
sraganl3icxo.com 
Twitter:  @SteveD3 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  David  Geer, 
Antone  Gonsalves,  George  V.  Hulme, 
Jeremy  Kirk,  John  P.  Mello  Jr., 
Lauren  Gibbons  Paul,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 
P.O.Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 


IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Walter  Boyd 

Founder 

Patrick  J.  McGovern 
(1937-2014) 

IDG  Communications,  Inc. 

CEO 

Michael  Friedenberg 


*?BF >A 


WORLDWIDE- 


2  www.csoonline.com  MAY  2014 


Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security,  Risk  Management  £  Privacy 


Invest 


October  21-23,  2014 


Hyatt  Regency  at  Gainey  Ranch  |  Scottsdale,  AZ 


Protecting  Brand, 
Data  &  the  Internet 


EARN 

up  to  19  CPE  Credits 


BUILD  A  NETWORK 

OF  THE 

Most  Dynamic  Women 
in  Our  Industry 


of  Things 

A  summit  to  build  and  enable  forward  thinking 
Information  Security,  IT  Risk  and  Privacy  leaders. 


For  more  information  on  the  EWF  or  to  register, 
please  visit:  www.ewf-usa.com 


TAKE  HOME  TOOLS, 

Best  Practices 
&  Solutions  to 
Achieve  Success 


Women  of 
I  nfluer  iee,/l  wards 

Nominate  your  peers,  clients 
and  customers  for  the 
Women  of  Influence  Awards. 
Co-presented  by  CSO  Magazine  and 
Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and 
leadership  roles  in  the  fields  of  security, 
risk  management  and  privacy. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM 
GOTO:  www.ewf-usa.com 

Nominations  must  be  submitted 
by  June  30,  2014 


FORUM  HOST  & 
AWARDS  CO-PRESENTER 


ASSOCIATES 


FORUM  HOST  & 
AWARDS  CO-PRESENTER 

CSO 


Big  Data  -  Big  Opportunity 

Hear  how  companies  leverage  agile  analysis  and  acquire  the  skills  you 
need  to  distill  complex  ideas  into  an  enterprise-wide  call  to  action. 

Gain  an  understanding  of  how  big  data  analytics  will  change  all  of  us. 

The  Ying/Yang  of  IdM  &  loT 

Identity  management  in  a  ubiquitous  world 

Managing  complexity  is  more  than  a  word  game.  Learn  how  to  manage 
identities  with  devices  that  might  be  swallowed  by  a  person,  or  part  of  a 
general  consumer  ecosystem  yet  still  inextricably  connected  to  your 
company's  reputation  and  stock  price. 

Cyber  Risk:  This  is  not  your  father’s  playbook 

Run  and  hide  or  stand  and  fight?  This  interactive  panel  will  consider 
hacktivism,  reputation  management  and  practical  mitigation  strategies 
which  reflect  today's  realities. 

How  Did  I  Get  Here? 

C-level  executives  walk  us  through  their  journey  to  success,  and 
explain  the  twists  and  turns,  skill  and  luck,  and  surprises  along  the  way. 


DIAMOND  SPONSORS  yjr 

Q 

OOOOOOOOOOOOOOOCOOOOOOO©OChOO<W>C<<«>X>0<>C>OOC<iO<>C<»?>XaX>WCK>C^X>OCK>>>>>>X- 

u  Microsoft 

ooooooooooooooooo<>ooooooo<>90«oco<><<<<oo<><x><;><><>>^c<>o<><x<<^^^ooom>oc<xkx>ooc' 

2Jf  Symantec. 


<  Aimrjrtr  Mrllon  Inhmdn 

Information  Networking  Institute 


The  Sorry  State  of  Cybercrime 


There’s  no  nice  way  to  say  it:  Attempts  to  defeat  cyber¬ 
crime  are  failing...miserably. 


We  recently  completed  the  2014  U.S.  State 
of  Cybercrime  survey  with  our  survey  partners 
at  the  Secret  Service,  the  Software  Engineer¬ 
ing  Institute  at  Carnegie  Mellon  University,  and 
PricewaterhouseCoopers.  Each  year  I  hope  the 
results  will  show  that  things  are  getting  better, 
and  each  year  I'm  disappointed. 

Let  me  share  some  of  the  highlights: 

■  The  state  of  cybercrime  is  not  good-busi¬ 
nesses  and  governments  are  failing  to  keep 
up  with  the  persistence,  technical  expertise 
and  tactical  skills  of  our  adversaries. 

■  Insiders  remain  the  greatest  risk.  Despite 
high-profile  attacks  against  Target,  Neiman 
Marcus  and  others,  insiders  are  still  the  big¬ 
gest  risk  to  your  enterprise.  The  sad  reality 
is  that  most  insider  risks  could  be  mitigated 
with  adequate  employee  awareness  and 
security  training,  but  only  half  the  organiza¬ 
tions  surveyed  conduct  any  awareness  train¬ 
ing.  An  interesting  side  note  is  that  insiders 
who  were  caught  almost  always  had  a  histo¬ 
ry  of  other  problematic  behaviors  (violating 
IT  policies,  being  disruptive  in  the  workplace, 
poor  performance,  etc.)  that  might  have 
allowed  an  alert  company  to  spot  the  perpe¬ 
trator  before  crimes  were  committed. 

■  Size  matters.  Businesses  with  more  than 
1,000  employees  take  cybercrime  far  more 
seriously  than  their  smaller  counterparts  and 
are  more  likely  to  adopt  technologies  and 
best  practices  that  will  mitigate  the  risks. 
While  large  businesses  overwhelmingly  view 
insiders  as  their  greatest  threat,  smaller  busi¬ 
nesses  take  the  opposite  view,  citing  outsid¬ 
ers  as  their  greatest  threat.  The  maturity  of 
larger  compnanies  manifests  itself  in  their 
technology  adoption,  advanced  risk  manage¬ 
ment  and  visibility  into  the  enterprise. 


■  Experience  breeds  caution.  Businesses  that 
had  experienced  a  cybercrime  in  the  past  12 
months  took  security  far  more  seriously  than 
those  that  did  not.  Interestingly,  businesses 
that  did  not  experience  a  security  event  were 
far  more  likely  to  say  they  don't  know  the 
most  adverse  impact  they’ve  ever  experi¬ 
enced,  and  they  assume  that  they  have  been 
attacked  but  can’t  identify  the  impact. 

■  Supply-chain  risk  is  under-addressed.  Sup- 
ply-chain  and  partner  risk  is  a  big  issue  that 
needs  to  be  improved  (think  Target),  particu¬ 
larly  at  companies  with  fewer  than  1,000 
employees.  These  smaller  organizations  had 
a  significant  disconnect:  They  don’t  trust 
their  partners  but  they  are  also  far  less  likely 
to  require  those  partners  to  meet  their  secu¬ 
rity  standards. 

To  learn  more  about  the  results  of  the  State 
of  Cybercrime  survey,  visit  CSOonline.com. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

CSG  Invotas . 

CSO . 

Executive  Women's  Forum 
international  Data  Corp.  . , 


. C2 

5,13,19, 23.25.C3 

.  3 

. 27,  C4 


Executive  Committee 

CEO  Matthew  Yorke 
Executive  Assistant  to 
the  CEO  Nelva  Riley 
SVP  of  Human  Resources 
Patricia  Chisholm 
SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 
SVP  &General  Manager, 

Online  Operations  Gregg  Plnsky 
Chief  Digital  Officer  Pete  Longo 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
President,  CIO  Executive 
Council  PamStenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
East  Coast  Regional  Director, 
integrated  Sales  Roz  Burke 
Sales  Director  -  West  Mary  Hazelton 
Account  Executive  Kelsey  Scheidemantel 
Account  Coordinator  Max  Crystal 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Carmen  Facas 
VP  of  Business  Development 
&  Digital  Media  Bill  Rigby 
VP  of  Digital  Account 
Services  Danielle  Thorne 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeskilgiidglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460.  ext.  100, 
cso@theygsgroup.com 


4  www.csoonline.com  May  2014 


Webb  Chappell 


CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


6  www.csoonline.com  MAY  2014 


Small  Companies  Face  Big  Hurdles 
When  Managing  Mobile  Devices 

Not  every  company  is  big  enough  to  implement  traditional  MDM  solutions,  but  the  smaller 
ones  are  still  trying  to  find  ways  to  manage  their  corporate  data  by  grant  hatchimonji 


AT  LARGE  ORGANIZATIONS,  IT’S  AL- 
most  a  given  that  the  company  will  use  some 
type  of  mobile  device  management  (MDM) 
system.  After  all,  with  so  many  employees 
using  mobile  devices  that  either  contain  or 
connect  to  sources  of  sensitive  information, 


there  needs  to  be  some  way  to  keep  every¬ 
thing  under  control. 

But  what  about  those  companies  that 
aren’t  big  enough  to  be  able  to  afford  an  MDM 
implementation  and  a  full-sized  IT  depart¬ 
ment  to  manage  it?  Without  a  way  to  central¬ 


ize  control  of  mobile  devices,  how  can  smaller 
companies  protect  their  data? 

Some  small  and  midsize  businesses  have 
found  ways  to  mitigate  risk  without  using 
traditional  MDM,  but  it  isn't  always  easy.  And 
an  already  difficult  situation  is  often  made 


if 


Thinkstock 


trickier  by  the  fact  that  smaller  companies 
commonly  adopt  bring-your-own-device 
(BYOD)  policies  because  they  can’t  afford  to 
provide  employees  with  devices. 

“In  some  ways,  it  changes  the  landscape 
a  little  bit,  because  users  may  be  hesitant  to 
allow  corporate  control  of  their  devices,” 
says  Tyler  Shields,  lead  mobile  analyst  for 
Forrester.  “But  if  you  propose  the  trade-off 
as,  ‘If  you  want  access  to  sensitive  mate¬ 
rial,  you  have  to  have  MDM,’  the  user  will 
almost  always  accept  MDM  on  there  for  the 
convenience.” 

With  BYOD  in  place,  smaller  businesses 
either  opt  for  endpoint  security  or  ask  that 
employees  have  “something  on  their  devices, 
some  sort  of  security,”  adds  Shields. 

David  Lingenfelter,  an  information  security 
officer  at  Fiberlink,  agrees  that  BYOD  is  the 
norm  for  small  and  midsize  companies,  say¬ 
ing,  “They’re  not  buying  devices  and  handing 
them  out.  So  they  want  to  get  some  level  of 
control  around  [employees’  devices],  whether 
it’s  limiting  them  to  specific  kinds  of  devices 
or  a  certain  OS  version." 

That  said,  Lingenfelter  adds  that  regard¬ 
less  of  what  kind  of  security  policies  they  may 
have  in  place,  small  and  midsize  businesses 
often  don’t  think  hard  enough  about  what 
happens  to  BYOD  devices  when  employees 
want  to  get  a  new  one. 

"They  need  to  ensure  that  corporate  data  is 
not  on  the  old  device,”  he  says.  “Usually  when 
I'm  done  with  these  devices,  I  give  them  to  my 
kids.  I  have  enough  common  sense  to  wipe 
them  before  I  do,  though.  Are  you  sure  your 
employees  are  doing  that?” 

Taking  a  Gamble 

When  smaller  companies  know  that  they 
don’t  have  a  means  of  centralizing  control 
over  their  mobile  devices  (and  that  their  em¬ 
ployees'  devices  are  typically  also  their  per¬ 
sonal  ones),  what  other  options  are  available 
to  them?  In  some  cases,  these  businesses  opt 
to  forgo  MDM  entirely,  creating  a  substantial 
attack  surface. 

But  such  small  companies  may  not  even 
be  on  attackers’  radars,  which  is  precisely  why 
businesses  are  willing  to  take  the  risk.  Most  of 


these  organizations  assume  that  since  they’re 
small  and  don't  have  much  valuable  data,  the 
odds  aren't  high  that  they’ll  be  the  target  of 
an  attack,  and  they  take  the  gamble. 

"Absolutely,  there  are  some  that  say,  The 
[low]  risk  isn’t  worth  the  investment  today 
for  us,'”  says  Shields.  In  most  cases,  he  says, 
the  company  either  provides  a  device  or  al¬ 
lows  BYOD,  pays  the  bill,  and  lets  users  go  on 
their  way. 


Lingenfelter  also  says  that  he’s  heard  of 
companies  that  have  opted  to  go  with  no  so¬ 
lution  at  all,  usually  because  they  don't  have 
any  IT  within  the  company  and  as  a  result 
they  have  no  infrastructure  or  centralized 
email  systems.  In  those  cases,  extremely  small 
companies  typically  trust  their  employees  and 
expect  them  to  do  the  right  thing. 

Sometimes,  however,  companies’  partners 
reject  the  possibility  of  completely  skipping  an 
MDM  solution. 

"We've  seen  some  small  companies  come 
to  us  and  say  that  they’ve  gone  that  route  [of 
not  implementing  anything],"  Lingenfelter 
says.  “But  because  of  their  partners,  mainly  in 
pharmaceuticals,  they’re  being  asked  to  put 
something  in  place  because  of  the  nature  of 
the  business." 

And  Lingenfelter  shares  the  opinion  of 
those  outside  partners. 

"If  you're  not  doing  any  management, 
you’re  exposed,  whether  it’s  an  attack  vec¬ 
tor  or  an  info-leak  vector,"  he  says.  "For  those 
that  are  concerned  about  the  latter...they're 


not  going  to  be  a  target.  But  there  is  plenty 
of  software  out  there  that  the  end  user  can 
install  and  then  will  leak  data  out.” 

There  are  other  concerns  too,  he  adds,  like 
lost  devices.  “If  you  don't  have  any  manage¬ 
ment  over  that  device,  how  are  you  going  to 
wipe  it?”  Lingenfelter  asks.  "There  are  options 
with  Apple  and  Google  to  do  remote  wipes, 
but  did  the  user  set  it  up?  If  they  didn’t,  you're 
out  of  luck." 


Without  any  sort  of  management,  there 
is  also  the  risk  of  commingling  corporate  and 
personal  data.  If  a  device  has  both  a  user’s 
personal  and  business  email  accounts,  the 
person  may  get  mixed  up  and  send  a  business 
attachment  from  a  personal  email  address, 
for  example. 

But  unlike  Lingenfelter,  who  thinks  that 
any  company  operating  without  an  MDM  solu¬ 
tion  is  opening  itself  up  to  all  manner  of  risks, 
Shields  doesn’t  see  the  situation  as  quite  so 
doom  and  gloom.  While  he  admits  that  there 
are  certainly  some  risks,  he  says  it  often  just 
isn't  worth  it  to  smaller  companies  to  make 
the  investment. 

"MDM  doesn’t  provide  that  much  security 
to  begin  with.  It’s  a  management  tool,”  he 
says.  “It  does  give  you  wipe  and  find  device 
features,  but  it’s  not  a  security  technology  at 
its  core.” 

Like  Lingenfelter,  Shields  concedes  that 
malware  and  data  loss  can  be  a  concern. 
Likewise,  he  says,  sensitive  areas  like  email  are 
at  risk  of  being  compromised  without 


“Usually  when  I’m  done  with 
these  devices,  I  give  them  to 
my  kids.  I  have  enough  common 
sense  to  wipe  them  before  I 
do,  though.  Are  you  sure  your 
employees  are  doing  that?” 

-DAVID  LINGENFELTER,  INFORMATION  SECURITY  OFFICER,  FIBERLINK 


May  2014  www.csoonline.com  7 


it  Tech 


a  management  solution.  That  does  not, 
however,  mean  that  it’s  an  absolute  necessity 
for  smaller  companies  to  implement  some 
kind  of  MDM. 

“Many  of  the  smaller  companies  have 
to  weigh  those  risks  against  getting  the  job 
done,"  he  says.  “In  many  cases,  it's  just  not 
worth  it." 

Turning  to  Alternative  Solutions 

In  the  event  that  smaller  businesses  decide 
that  they  do,  in  fact,  need  some  sort  of  solu¬ 
tion  but  don't  have  the  means  to  implement 
a  traditional  MDM  setup,  there  are  some 
alternative  solutions  to  which  they  can  turn. 
Lingenfelter  says  there  is  no  shortage  of  small 
companies  out  there  that  implement  some 
of  these  solutions,  but  they're  not  always 
satisfied. 

“What  we’re  seeing  is  two  types  of  custom¬ 
ers,"  says  Lingenfelter.  “There  are  the  ones 
that  have  tried  to  do  it  on  their  own  without  a 
real  managed  solution-whether  it’s  through 
their  mail  system  like  ActiveSync  or  freeware 
apps-and  the  others  are  the  ones  that  simply 
say,  'This  mobile  space  is  really  taking  off  and 
I  have  no  idea  what  I'm  doing.  I  have  no  bud¬ 
get  and  no  IT  team.'” 

But  regardless  of  a  company's  current 


state,  Lingenfelter  explains,  they  all  want  to 
have  some  level  of  control  and  to  make  sure 
that  their  users  are  handling  company  data 
responsibly,  like  the  big  organizations  do,  but 
with  a  much  simpler  setup. 

"This  is  something  they  want  to  be  able  to 
set  up  easily  and  be  able  to  add  and  remove 
devices,  check  log  history,  etc.  It’s,  ‘Let's  get 
it  set  up  and  we  don’t  want  to  have  to  man¬ 
age  it  or  massage  it  a  lot,"’  says  Lingenfelter. 
"These  companies  have  either  tried  it  on  their 
own  or  don't  have  the  time  or  the  resources  to 
understand  the  technology. 

So  what  are  some  of  the  alternative  solu¬ 
tions?  As  Shield  points  out,  a  number  of  MDM 
vendors  support  cloud  versions  of  their  solu¬ 
tions  and  have  packages  designed  for  small 
and  midsize  businesses  that  support  as  many 
as  20  devices. 

"That's  what  I  see  a  lot  of  [small  and  mid¬ 
size  businesses]  doing  today,  going  with  their 
cloud  version  rather  than  trying  to  bring  the 
heavy  hitters  in-house,”  he  says. 

In  other  cases  though,  organizations  jet¬ 
tison  MDM  solutions  altogether  and  opt  for 
using  endpoint  security  suites  from  companies 
like  Symantec  or  Norton. 

It’s  typically  the  slightly  larger,  midsize 
companies  that  wind  up  opting  to  use  secure 


network  gateways  and  application  reputation 
systems,  according  to  Shields.  The  problem 
with  this  option,  however,  is  that  the  user 
experience  these  tools  provide  tends  to  be 
less  positive. 

"So  the  users  don’t  tend  to  like  them  as 
much  and  they  bog  down  the  system  more," 
says  Shields.  "They  would  rather  just  get  secu¬ 
rity  on  their  devices." 

Lingenfelter  again  touched  on  the  idea 
of  smaller  organizations  tying  their  manage¬ 
ment  into  an  email  solution  like  ActiveSync 
or  Office  365  and  using  the  MDM  built  into 
that  software.  But  those  solutions  are  not 
ideal,  he  says. 

"It  can  be  very  complex  to  manage  devices 
using  ActiveSync  and  locking  it  down." 

Lingenfelter  mentioned  other  imperfect  al¬ 
ternative  solutions,  like  free  MDM  products  or 
only  allowing  employees  to  use  Apple  devices. 
Freeware  comes  up  short  when  a  company 
has  an  issue  or  needs  to  add  more  devices  and 
can't  get  support  because  the  whole  system  is 
self-service.  That  leaves  users  to  figure  things 
out  for  themselves,  which  ends  up  being 
time-consuming. 

Insisting  on  one  type  of  device  across  the 
board,  meanwhile,  isn't  a  preferred  solution 
for  some  smaller  businesses,  he  says,  simply 
because  the  company  doesn’t  want  to  force 
anything  on  to  its  employees. 

“Even  though  they  would  like  to  be 
homogenous  and  single  threaded  because 
Apple  has  stronger  security,  they  don’t  feel 
that  they  can  lock  their  employees  in,"  Lingen¬ 
felter  says. 

“It’s  an  option,  but  there  are  costs  involved 
on  the  management  side,"  he  says.  "If  the 
company  wants,  they  can  get  an  Apple  server 
to  manage  them,  but  there's  a  cost  in  over¬ 
head  for  that  as  well." 

Whatever  approach  a  company  takes,  how¬ 
ever,  Lingenfelter  insists  that  all  businesses, 
no  matter  how  small,  should  have  some  sort 
of  solution  in  place. 

"If  you’re  not  doing  anything  in  the  MDM 
space,  you’re  not  secure,"  he  says. 


■  Grant  Hatchimonji  Is  senior  editor  for 
CSO.  Contact  him  atghatchimonil@cxo.com. 


“What  we’re  seeing  is  two  types 
of  customers:  There  are  the  ones 
that  have  tried  to  do  it  on  their 
own  without  a  real  managed 
solution...and  the  others  are  the 
ones  that  simply  say,  This  mobile 
space  is  really  taking  off  and  i 
have  no  idea  what  I’m  doing.  I 
have  no  budget  and  no  IT  team.’” 

-DAVID  LINGENFELTER 


8  www.csoonline.com  May  2014 


Karlis  Dambrans/Flickr 


‘mi 


■  - . . 


mm 


I'v- 


Epps’ 


OR 


•  ••5; 


Hi 


; 


:  I 


Researchers  Hack  Galaxy  S5  Fingerprint  Login 


IT  TOOK  JUST  FOUR  DAYS  FOR  GER- 
man  researchers  to  trick  the  Samsung  Gal¬ 
axy  S5’s  fingerprint  scanner  into  accepting  a 
mold  of  a  fingerprint  instead  of  a  scan  from  a 
real  finger. 

Although  fingerprint  authentication  is  one 
of  the  headline  features  on  Samsung's  new 
flagship  model,  the  company's  implementa¬ 
tion  “leaves  much  to  be  desired,”  SR  Labs  said 
in  a  video  demonstration  of  the  hack  posted 
on  YouTube. 

The  researchers  enrolled  a  fingerprint  from 
a  real  finger  on  the  S5,  then  used  a  mold  of 
a  fingerprint  to  unlock  it-the  same  method 
used  last  year  to  spoof  Apple’s  Touch  ID.  The 
video  shows  how  Samsung’s  scanner  can  be 
bypassed  using  a  mold  made  under  laboratory 
conditions,  but  it  is  based  on  nothing  more 
than  a  camera  phone  photo  of  a  latent  print 
from  a  smartphone  screen,  SR  Labs  said. 

Latent  prints  aren't  immediately  visible  to 
the  naked  eye,  but  “can  be  visualized  using 
magnesium  powder,  which  is  gently  brushed 
over  hard  and  shiny  surfaces  in  order  to  illumi¬ 
nate  them,”  according  to  the  Explore  Forensics 
website. 


The  weakness  of  Samsung’s  implementa¬ 
tion  is  made  even  more  serious  because  the 
phone  integrates  with  PayPal,  allowing  users 
to  authenticate  transactions  using  the  finger¬ 
print  scanner.  The  integration  gives  a  would- 
be  attacker  an  even  greater  incentive  to  hack 
a  phone,  SR  Labs  said. 

PayPal  downplayed  the  risks,  saying  that  it 
is  not  the  fingerprint  that  provides  access  to 
its  service:  “PayPal  never  stores  or  even  has 
access  to  your  actual  fingerprint  with  authen¬ 
tication  on  the  Galaxy  S5.  The  scan  unlocks 
a  secure  cryptographic  key  that  serves  as  a 
password  replacement  for  the  phone.  We  can 
simply  deactivate  the  key  from  a  lost  or  stolen 
device,  and  you  can  create  a  new  one,”  the 
payment  service  explained. 

Fingerprint  authentication  has  become 
a  hot  smartphone  feature  since  Apple’s 
iPhone  5S  debuted  Touch  ID,  a  fingerprint  sen¬ 
sor  built  into  the  home  button. 

Touch  ID  was  hacked  last  year  by  German 
Chaos  Computer  Club  using  a  latex  copy  of  a 
fingerprint.  The  hack  of  Samsung’s  fingerprint 
scanner  again  raises  questions  about  the  ef¬ 
fectiveness  of  the  technology. 


Using  fingerprints  has  two  shortcomings 
when  compared  to  passwords,  according  to 
SR  Labs.  First,  once  a  fingerprint  gets  stolen, 
there  is  no  way  to  change  it.  To  offset  this, 
digitized  fingerprints  need  to  be  very  hard  to 
steal.  Second,  users  leave  copies  of  their  fin¬ 
gerprints  everywhere,  including  on  the  devices 
the  prints  protect. 

“While  biometrics  will  always  carry  with 
them  a  tradeoff  of  security  for  convenience, 
it’s  the  manufacturer’s  responsibility  to  imple¬ 
ment  them  in  a  way  that  doesn't  put  users’ 
crucial  data  and  payment  accounts  at  risk,” 

SR  Labs  said. 

Even  though  the  hack  is  serious,  it  is  un¬ 
likely  to  affect  sales  of  the  Galaxy  S5. 

“The  majority  of  consumers  aren’t  at  this 
stage  very  aware  of  smartphone  security  is¬ 
sues.  When  they  go  to  buy  a  new  smartphone, 
it  isn’t  the  first  question  that  comes  to  their 
mind,”  says  Malik  Saadi,  practice  director  at 
ABI  Research. 

Samsung  didn’t  reply  to  requests  for 
comment. 

-Mikael  Ricknas, 
IDG  News  Service 


MAY  2014  www.csoonline.com  9 


ii  Tech 


When  Ransomware  Strikes  Close  to  Home, 
Researchers  Dissect  Scammers’  Faulty  Code 


JOSE  VILDOZA’S  62-YEAR-OLD  FA- 
ther  was  using  his  old  Windows  computer 
when  a  warning  flashed  on  the  screen:  Your 
files  have  been  encrypted. 

Vildoza’s  father,  who  speaks  Span¬ 
ish,  didn’t  understand  the  warning,  which 
demanded  payment  in  order  to  decrypt  the 
files.  When  Vildoza  looked  at  it,  he  knew  it 
was  bad.  And  he  got  angry. 

“I  became  upset  with  that,”  says  Vildoza, 
who  lives  in  Argentina  and  works  for  a  video 
game  developer  called  Tucma  Games.  “I 
didn’t  want  to  pay.” 

Vildoza’s  machine  had  just  become  one 
of  the  latest  victims  of  a  long-running  scam 


that  has  seen  a  surprising  resurgence  over 
the  past  year.  For  about  a  decade,  cyber¬ 
criminals  have  been  hacking  people’s  com¬ 
puters  and  encrypting  their  files. 

It’s  one  of  the  more  insidious  schemes 
on  the  Internet.  The  encryption  is  virtu¬ 
ally  unbreakable,  and  unless  users  have 
a  backup  of  their  files  on  an  uninfected 
machine,  the  data  is  gone  for  good-unless 
victims  pay  up. 

In  its  latest  Internet  Security  Threat 
Report,  security  vendor  Symantec  said 
that  in  2013  it  saw  a  500  percent  increase 
in  attempts  to  install  encrypting  malware, 
which  is  distributed  under  names  including 


CryptoLocker,  CryptorBit  and  HowDecrypt. 

The  hackers  typically  demand  $100  to 
$500,  payable  in  bitcoin  or  other  Web- 
based  payment  services.  The  ransom  may 
increase  the  longer  the  victim  waits. 

Kevin  Haley,  director  of  Symantec’s 
security  response  team,  says,  “It’s  the  per¬ 
fect  kind  of  criminal  scam.  You  get  people 
scared  and  not  thinking,  and  you  can  make 
a  lot  of  money  out  of  it.” 

Ransomware  schemes  may  be  rising 
due  to  their  sheer  profitability  and  to  the 
declining  effectiveness  of  Web-based 
scams  like  bogus  security  programs.  Haley 
says  Symantec  estimates  ransomware  per- 


i . "'"''fiBir 

lO  www.csoonline.com  May  2014 


Thinkstock 


petrators  achieve  an  average  response  rate 
of  around  3  percent,  and  demand  payment 
that  is  much  higher  than  those  peddling 
fake  antivirus  software,  which  typically 
sells  for  $50. 

But  Vildoza,  an  enthusiastic  25-year- 
old,  wasn’t  about  to  give  up.  He  launched 
his  own  investigation,  discovering  that  his 
machine  had  first  been  infected  with  Sef- 
nit,  which  is  a  malware  program  distributed 
by  a  botnet  of  the  same  name. 

He  believes  that  whoever  controls  Sef- 
nit  likely  sold  access  to  his  computer  to 
other  cybercriminals,  who  then  installed 
CryptoDefense,  a  type  of  ransomware  that 
emerged  last  month. 

Diving  into  CryptoDefense’s  code,  he 
found  its  developers  had  made  a  crucial 
mistake.  CryptoDefense  used  Microsoft’s 
Data  Protection  API,  a  tool  in  the  Windows 
operating  system  to  encrypt  a  user’s  data. 


CryptoDefense  sent  the  plain-text  pri¬ 
vate  key  to  unlock  the  data  back  to  its  own 
server,  and  the  cybercriminals  would  only 
release  it  upon  payment.  But  they  appar¬ 
ently  didn’t  know  that  the  Data  Protection 
API  stored  a  copy  of  the  encryption  keys  on 
a  victim’s  computer. 

The  problem,  though,  is  that  the  keys  as 
stored  on  the  user’s  system  were  encrypted. 
So  Vildoza  and  a  researcher,  Fabian  Wosar 
of  the  Austrian  security  company  Emsisoft, 
collaborated  on  a  utility  called  the  Emsisoft 
Decrypter  that  was  designed  to  recover  the 
encrypted  keys. 

Vildoza  knew  he  had  made  a  big  dis¬ 
covery,  and  one  that  would  help  a  lot  of 
people.  In  mid-March  he  launched  a  blog 
chronicling  his  investigation  and  listing  an 
email  address  that  victims  could  contact  to 
request  assistance. 

At  the  time,  he  refused  to  reveal  the 
mistake  CryptoDefense’s  authors  had  made 
on  his  blog.  But  Symantec  then  published  a 
blog  post  on  March  31  detailing  the  error. 

Symantec’s  post  initially  described  the 
file  path  where  the  keys  were  stored,  but 
about  two  days  later,  Symantec  deleted 
that  specific  information. 

Haley  says  the  company  had  sec¬ 
ond  thoughts  about  sharing  that  bit  of 
information  because  most  users  unfamiliar 
with  RSA  encryption  wouldn’t  know  what 
to  do  with  it. 

“I  think  while  we  thought  it  was  techni¬ 
cally  accurate,  we  figured  out  it  wasn’t 
enough  to  really  help  anyone,”  Haley  says. 
“The  impression  we  left  people  was  you 
could  follow  that,  get  the  key  and  you’re 
good  to  go.” 

He  says  people  could  have  called  Syman¬ 
tec’s  technical  support  for  more  informa¬ 
tion,  but  acknowledged  that  those  people 
would  have  to  be  the  company’s  customers. 

After  Symantec’s  post,  Vildoza  went 
ahead  and  described  the  problem  on  his 
blog.  He  received  at  least  80  emails  ask¬ 
ing  for  help,  as  well  as  an  unmanageable 
flood  of  spam,  presumably  as  revenge  from 
CryptoDefense’s  operators,  who  he  sus¬ 
pects  are  Russian. 


After  the  coding  error  in  CryptoDefense 
became  public,  the  malware  authors  fixed 
it,  once  again  making  the  malware  an 
intractable  problem  for  those  infected. 

Haley  said  he  understood  the  argument 
for  keeping  the  mistake  quiet.  But  the 
cybercriminals  would  have  figured  it  out  on 
their  own  eventually  and  closed  the  loop¬ 
hole  anyway,  he  says. 

The  utility  developed  by  Vildoza  and 
Wosar  now  only  works  for  versions  of  Cryp¬ 
toDefense  that  infected  machines  prior  to 
March  31.  But  it  still  helped  many  people. 

Dan  Getty,  who  is  responsible  for  desk¬ 
top  patch  management  at  the  University  of 
Michigan  in  Flint,  Mich.,  says  CryptoDefense 
infected  two  computers  there,  including 
one  belonging  to  an  administrator  that 
contained  thousands  of  files  that  were  not 
backed  up. 

“The  loss  would  have  been  catastrophic,” 
he  said  via  email. 

Michael  Van  Rheenen,  director  of  devel¬ 
opment  for  the  online  software  company 
Tallyfox  in  Zurich,  wrote  via  email  that  he 
briefly  considered  paying  the  ransom  after 
three  computers  and  a  storage  drive  were 
infected. 

But  the “absurd  abuse” of  the  attack 
“led  me  to  keep  searching  for  a  possible 
solution  for  it,”  Van  Rheenen  wrote.  He 
eventually  recovered  5,675  files,  ranging 
from  documents  to  photos,  none  of  which 
had  been  backed  up. 

Marshall  Shapiro,  who  lives  in  San  Jose, 
California,  removed  the  infected  hard  drive 
of  a  computer  his  wife  had  been  using  when 
it  locked  up.  The  hard  drive  is  still  in  the 
closet  while  he  mulls  trying  to  see  if  the 
utility  from  Vildoza  and  Wosar  will  work. 

“Why  the  hell  pay  these  bastards?”  says 
Shapiro,  who  worked  for  15  years  doing 
technical  support  for  hardware  security 
modules.  “I  don’t  know  if  my  wife’s  files  are 
that  valuable  at  this  point.” 

“She’s  getting  mad  at  me  saying  that,” 
Shapiro  added  during  a  phone  interview  for 
which  his  wife  was  in  the  room. 

-Jeremy  Kirk, 
IDG  News  Service 


May  2014  www.csoonline.com  n 


ii  Tech 


Steve  Ragan,  Staff  Writer 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


SALTED  HASH 


Most  Companies  Face  SQL  Injection  Attacks, 
But  Few  Are  Doing  Much  to  Protect  Themselves 


WHEN  IT  COMES  TO  PREVENTING  SQL 
injection  attacks,  many  organizations  don't 
take  any  precautions 

The  Ponemon  Institute  released  the  results 
of  a  new  study  that  polled  595  respondents 
across  16  verticals  for  DB  Networks,  in  it,  65 
percent  of  the  respondents  said  that  they’ve 
experienced  one  or  more  SQL  injection  attacks 
in  the  past  12  months.  In  addition,  each  inci¬ 
dent  took  an  average  of  140  days  to  discover 
and  68  days  to  fix. 

“It  is  commonly  accepted  that  organiza¬ 
tions  believe  they  struggle  with  SQL  injection 
vulnerabilities,  and  almost  half  of  the  respon¬ 
dents  said  the  SQL  injection  threat  facing 
their  organization  is  very  significant,  but  this 
study  examines  much  deeper  issues,”  says  Dr. 
Larry  Ponemon. 

But  there’s  a  problem. 

When  it  comes  to  preventing  SQL  injection, 
52  percent  of  respondents  said  they  don’t 
take  any  precautions,  such  as  code  audits  or 
validation  checks. 

Yet  nearly  half  the  respondents  said  that 
SQL  injection  attacks  are  a  significant  threat. 
Moreover,  42  percent  said  they  believed  that 
SQL  injection  is  a  contributing  factor  in  most 
breaches. 

Part  of  the  reason  that  companies  are 
skimping  on  protection  is  that  31  percent  of 
the  respondents  say  their  organization’s  secu- 

There  are  several 
tools  on  the  Web 
that  automate  SQL 
injection,  and  for 
most  criminals, 
that’s  all  they  need 
to  compromise  data. 


rity  and  IT  teams  possess  the  skills  and  exper¬ 
tise  to  detect  an  SQL  injection  attack. 

Part  of  the  reason  SQL  injection  exists  is 
that,  from  the  criminal’s  perspective,  it  works. 
There  are  several  tools  on  the  Web  that 
automate  SQL  injection-from  scanning  for 
vulnerable  hosts  to  harvesting  data  from  the 
database-and  for  most  criminals,  that’s  all 
they  need  to  compromise  data. 

For  businesses,  the  issue  is  a  bit  more 
complex.  Developers  are  paid  to  code,  but 
security  still  isn't  a  primary  function  when 
a  project  needs  to  be  delivered  on  time  and 
under  budget. 

Code  development  has  come  a  long  way 
since  SQL  injection  attacks  first  came  on  the 
scene  in  1998,  but  things  still  slip  through  the 
cracks.  Those  small  mistakes  can  turn  into 
large  breaches,  which  is  why  companies  are 


-mmm 


encouraged  or  even  mandated  to  perform 
code  assessments  and  continually  monitor 
applications  and  databases. 

Still,  SQL  injection  attacks  occur  regularly, 
and  the  aftermath  of  those  incidents  can 
be  costly  and  embarrassing  (in  a  PR  sense). 
Obviously  survey  sponsor  DB  Networks,  which 
sells  database  monitoring  services  meant 
to  detect  SQL  injection  attacks,  has  a  horse 
in  this  race,  but  so  do  several  other  vendors. 
But  basic  security  measures,  such  as  those 
outlined  by  OWASP,  can  often  solve  the  most 
basic  SQL  injection  issues. 

Still,  no  matter  how  your  organization 
deals  with  the  threat  of  SQL  injection  attacks, 
the  important  part  is  that  the  threat  is  being 
addressed.  It  isn’t  easy,  but  given  the  value  of 
your  data,  both  inside  and  outside  the  com¬ 
pany,  it’s  worth  the  effort. 


12  www.csoonline.com  May  2014 


Thinkstock 


SECURITY 


TM 


NEWSLETTER 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


'KiTy 


Subscribe  today! 


■vyout  Tt-i 

Senin,yr7^’Ct oOF  da\/ol(j  9  Waxed  h 

Z££~ZSL~i& 


**»«o 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


Z9  fitted  hP 
tr°uble.  °butalert . 

ar>cllryouh 

mm 

*lo'y.tor. 


>ATh°ME 


0/0 

77i  U*No*r 
U-S. 


°rbol  '  - 


’die, 


*nd, 


.as» 

„>*”»» >«r  ‘""•'wZZ 


»*** 


■  ^fQ 


For  more  information  please  visit 

www.SecuritySmart.com 


Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  201 2  CXO  Media  Inc. 


CSO 


BUSINESS  RISK  LEADERSHIP 


To  Reduce  Risk,  Lower  Hackers7  ROI 

Most  hackers  are  in  it  for  the  money.  So  enterprises  that  make  it  more  difficult  and  costly  to 
breach  them  will  send  attackers  looking  for  easier  targets,  by  taylor  armerding 


HACKING  IS  NO  LONGER  JUST  A  GAME 
for  tech-sawy  teens  looking  for  bragging 
rights.  It  is  a  for-profit  business,  and  a  very  big 
business.  Yes,  it  is  employed  for  corporate  and 
political  espionage,  activism  and  even  cyber¬ 
war,  but  the  majority  of  those  in  it  are  in  it  for 
the  money. 

So,  security  experts  say,  one  good  way  for 
enterprises  to  lower  their  risk  is  to  lower  hack¬ 
ers’  ROI  by  making  companies  more  expensive 
and  time-consuming  to  hack,  and  therefore 


a  less  tempting  target.  It’s  a  bit  like  the  joke 
about  the  two  guys  fleeing  from  a  hungry  lion. 
“I  don’t  have  to  outrun  the  lion,”  one  says  to 
the  other.  “I  just  have  to  outrun  you." 

Of  course,  this  only  applies  to  broad-based 
attacks  seeking  targets  of  opportunity,  not  an 
attack  focused  on  a  specific  enterprise. 

David  Meltzer,  in  a  blog  post  on  Tripwire, 
recently  made  the  argument  that  being  a  bit 
more  secure  than  others  is  generally  enough. 
“How  do  you  stop  a  smart  attacker?  Simple: 


reduce  their  ROI  to  make  exploiting  you  fis¬ 
cally  irresponsible.” 

That  is  the  consensus  of  other  experts.  “If 
you  make  it  more  difficult  and  less  rewarding 
for  the  non-targeted,  financially  motivated 
attacker,  she  or  he  will  likely  move  on  to  an 
easier  mark,”  says  Deena  Coffman,  CEO  of 
IDT911  Consulting. 

Bob  West,  chief  trust  officer  at  CipherCloud, 
agrees.  “The  commercialization  of  cybercrime 
in  the  last  decade  has  elevated  ROI  as  a  very 


14  www.csoonline.com  May  2014 


Thinkstock 


important  factor  in  many  attacks,"  he  says. 

Bogdan  “Bob"  Botezatu,  senior  e-threat 
analyst  at  Bitdefender,  also  shares  the  pre¬ 
vailing  opinion.  “Commercial  or  non-state- 
sponsored  hackers  are  usually  trying  to  get 
the  most  profit  with  minimum  amounts  of 
money,”  he  says.  "The  more  difficult  the  at¬ 
tack,  the  less  interested  they  are." 

That,  of  course,  raises  the  obvious  ques¬ 
tion:  What,  specifically,  should  enterprises  do 
to  make  themselves  less  tempting  targets,  es¬ 
pecially  since  it  is  cheaper  than  ever  to  launch 
broad-based  attacks? 

While  launching  a  sophisticated  attack  on 
a  single  target  is  still  expensive,  time  consum¬ 
ing  and  difficult,  the  marketplace  on  the  so- 
called  Dark  Web  reduces  barrier  to  entry  for 
hackers  by  providing  “software  apps  for  less- 
skilled  thieves  to  purchase  for  little  money 
and  use  to  attack  companies  that  leave  their 
networks  exposed  or  only  have  a  single  layer 
of  security,”  says  Coffman. 

There  is  general  agreement  among  experts 
that  an  enterprise  should  start  by  evaluat¬ 
ing  its  assets  based  on  what  an  attacker 
would  find  attractive.  But  experts  have  dif¬ 
fering  opinions  about  assets’  worth.  Most 
agree  that  the  value  of  credit  card  data,  for 
example,  declines  rapidly  because  as  soon  as 
the  breach  is  made  known,  the  cards  are  de¬ 
stroyed  and  replaced. 

Russ  Spitler,  vice  president  of  product 
strategy  at  AlienVault,  says  credit  cards,  “are 
easy  to  steal,  but  actually  reasonably  dif¬ 
ficult  to  turn  into  money  at  scale,  due  to  the 
fraud  detection  that  the  card  providers  have 
developed.”  But  credit  cards  remain  a  valu¬ 
able  asset  for  enterprises,  "and  the  one  that  is 
easiest  to  sell.” 

He  believes  email  lists  have  even  less 
value.  “They  really  require  very  high  volumes 
to  resell.  Email  lists  are  practically  free  these 
days,”  he  says.  But  not  all  his  colleagues 
agree.  Botezatu  says  customer  emails  “are 
the  foundation  of  any  business.  They  are  sold 
and  rented  on  underground  forums  for  a  spe¬ 
cific  amount  of  money.  Often  they  are  sold  to 
multiple  cybercriminals,  so  the  profit,  even  if 
small,  is  constant." 

And  Coffman  says  email  addresses  are 


valuable  because  they  are  “now  used  as  ac¬ 
count  names.  Once  an  attacker  has  an  email 
account,  that  can  be  used  to  reset  and  ac¬ 
cess  all  other  accounts  that  use  that  email 
address.  If  your  bank  will  email  your  new 
password  to  your  email  account,  then  access 
to  your  email  account  is  akin  to  access  to  your 
banking  account.” 

Source  code  is  another  asset  that  prompts 
mixed  opinions.  Coffman  described  its  value 
as  “very  high,  as  the  attackers  now  know  how 
to  compromise  the  application  in  a  way  that  is 
unlikely  to  be  detected." 

But  Meltzer  contends  that  protecting 
source  code  is  more  hassle  than  it's  worth,  be¬ 
cause  “the  same  source  code  essentially  ships 
to  all  their  customers  anyway.  Why  bother 
breaking  into  the  company  to  steal  product 
source  when  it’s  so  much  cheaper  and  easier 
to  just  buy  it?” 

Spitler  agreed  with  Coffman  that  source 
code  can  be  “a  resource  to  be  used  in  devel¬ 
oping  future  attacks  against  the  company  or 
other  users  of  the  software.”  But  he  says  it 
is  rarely  a  target  in  a  broad-based  attack  for 
simple  profit  because  “it  is  very  hard  to  resell.” 

The  same  is  true  of  corporate  intellec¬ 
tual  property,  which  has,  Spitler  says,  “a  very 
limited  set  of  buyers-the  competitors  of  the 
company-so  when  it  is  targeted,  it  is  likely  a 
nation  state  or  a  focused  effort  sponsored  by 
a  pre-identified  buyer  of  the  data.” 

Coffman  says  Social  Security  numbers 
(SSN)  can  be  enormously  valuable  “because 
we  are  still  using  them  as  a  means  for  verify¬ 
ing  identity.  Once  someone  has  your  name, 
address  and  date  of  birth,  which  are  all  easily 
obtained,  they  can,  with  your  SSN,  assume 
your  identity  and  obtain  credit,  be  arrested, 
get  a  medical  procedure  under  your  insurance, 
etc.,  and  wreak  havoc  on  your  life,  for  the  rest 
of  your  life.” 

Whatever  the  value  of  various  assets  to 
an  enterprise,  the  methods  for  improving 
the  security  protecting  those  assets  are  not 
necessarily  complex  or  expensive.  Meltzer  rec¬ 
ommended  decentralizing  data  that’s  likely 
to  be  targeted,  so  hackers  who  breach  your 
defenses  aren’t  offered  a  buffet  of  sensitive 
information. 


Coffman  agreed,  adding  that  assets  should 
be  protected  with  strong  encryption,  which 
West  says  will  effectively  reduce  the  ROI  a 
hacker  can  get  out  of  an  attack.  Even  in  the 
event  of  a  breach,  West  says,  it  will  be  costly 
and  time-consuming  to  “convert  valuable 
data  that's  been  strongly  encrypted  into  its 
non-gibberish  state.” 

One  of  the  simplest  ways  to  lower  the 
ROI  of  attackers  is  to  keep  software  up  to 
date.  Sophos  Labs  reported  recently  that,  "91 
percent  of  the  booby-trapped  documents  in 
our  reports  from  January  and  February  2014 
would  have  been  rendered  harmless  by  just 
two  Microsoft  patches,  issued  two  and  four 
years  ago.” 

Experts  are  unanimous  in  saying  enter¬ 
prises  need  to  install  patches  promptly.  But 
Botezatu  says  it  is  not  always  as  simple  for 
companies  to  update  a  laptop  as  it  is  for  an 
individual  downloading  patches. 

"Enterprises  are  known  for  their  slow 
patching  cycle,”  he  says,  “but  this  is  mostly 
because  they  have  to  take  the  machines  out 
of  production,  which  means  downtime  and, 
implicitly,  money  loss. 

“Another  reason  for  not  upgrading  is  that 
some  applications  custom-made  for  a  com¬ 
pany  only  work  on  a  specific  configuration, 
such  as  Internet  Explorer  6.  An  update  would 
break  the  tools,  and  rewriting  these  could  be 
too  costly  for  the  company.” 

In  general,  however,  the  consensus  is  that 
basic  but  rigorous  security  measures  will  keep 
an  enterprise  ahead  of  the  pack.  “Organiza¬ 
tions  now  have  to  focus  more  on  restricting 
access  to  raise  the  bar,”  says  Yo  Delmar,  vice 
president  of  MetricStream. 

“That  means  a  well-thought-out  defense 
and  an  in-depth  strategy  with  continuous 
monitoring.” 

Coffman  recommends  having  an  outside 
company  “regularly  scan  for  'open  doors’  in 
your  network  that  make  you  an  easy  target 
for  the  majority  of  potential  data  thieves  that 
are  just  using  inexpensive  tools  to  troll  for  the 
slowest  gazelle  in  the  herd.” 


■  Contact  freelance  writer  Taylor  Armerd- 
ing  at  taylor.armerding@gmail.com. 


May  2014  www.csoonline.com  15 


Risk 


Tony  Bradley,  Bradley  Strategy  Group 


MINIMAL  RISK 


Malware  in  Pirated  Software  Costs  Us  Billions 


m m 


CRIMINALS,  BY  THEIR  VERY  NATURE,  CAN’T  BE  TRUST- 
ed.  It  may  seem  like  a  bargain  to  be  able  to  get  pirated  software 
cheap  or  free,  but  when  you  acquire  software  illegally,  you  also 
open  yourself  up  to  other  risks  and  security  concerns.  The  cyber¬ 
criminals  that  distribute  pirated  software  aren’t  just  acting  as 
Robin-Hood-style  philanthropists.  They  have  ulterior,  insidious  mo¬ 
tives  as  well,  and  that’s  why  malware  in  pirated  software  is  costing 
the  world  billions  of  dollars. 

Microsoft  worked  with  IDC  and  the  National  University  of  Sin¬ 
gapore  to  investigate  the  prevalence  of  malicious  code  in  pirated 
software,  and  to  explore  the  link  between  that  malware  and  orga¬ 
nized  cybercrime.  The  study  was  conducted  on  203  computers  and 
spanned  11  nations  (Brazil,  China,  India,  Indonesia,  Mexico,  Russia, 
South  Korea, 

Thailand,  Turkey, 

Ukraine,  and  the 
U.S.).  The  study 
also  incorporates 
the  results  of  a 
survey  of  951  con¬ 
sumers  and  450 
IT  professionals 
across  15  nations, 
and  a  survey  of 
302  government 
officials  from  six 

countries.  ■ 

Research¬ 
ers  determined 
that  there  is  a  33 
percent  chance 
of  encountering 
malware  when 
installing  pirated 
software  or  pur¬ 
chasing  a  PC  that 

includes  preinstalled  pirated  software. 

The  forensic  analysis  of  the  203  computers  in  the  study  by  the 
National  University  of  Singapore  found  that  61  percent  of  the  ma¬ 
chines  that  had  pirated  software  installed  were  also  infected  by 
malware. 

David  Finn,  associate  general  counsel  and  executive  director  of 
the  Microsoft  Cybercrime  Center,  stressed  in  a  blog  post  that  these 


statistics  should  not  come  as  a  shock.  “After  all,  cybercriminals  aim 
to  profit  from  any  security  lapse  they  can  find.  And  through  pirated 
software,  they’ve  found  another  way  to  introduce  malware  into 
computer  networks:  breaking  in  so  they  can  grab  whatever  they 
want-your  identity,  your  passwords  and  your  money.” 

IDC  estimates  that  consumers  will  spend  a  combined  $25  billion 
and  waste  1.2  billion  hours  dealing  with  security  issues  resulting 
from  malware  on  pirated  software  in  2014  alone.  Sixty  percent  of 
the  consumers  surveyed  listed  loss  of  data  or  personal  informa¬ 
tion  among  their  top  three  biggest  fears,  followed  by  51  percent 
concerned  about  unauthorized  access  or  online  fraud.  In  spite  of 
these  concerns,  43  percent  of  the  consumers  surveyed  don’t  rou¬ 
tinely  install  security  updates  to  keep  their  PCs  protected. 

For  enterpris¬ 
es,  that  money 
lost  on  pirated 
software  jumps 
to  almost  half  a 
trillion  dollars. 

IDC  estimates 
malware  in 
pirated  soft¬ 
ware  will  cost 
enterprises  $127 
billion  to  deal 
with  security  is¬ 
sues,  and  an  addi¬ 
tional  $364  billion 
to  address  data 
breaches.  That’s 
$491  billion  that 
could  be  put  to 
much  better  use 
if  the  risks  associ¬ 
ated  with  mal¬ 
ware  in  pirated 

software  could  be  minimized  or  completely  eradicated. 

The  Microsoft  Digital  Crimes  Unit  is  spotlighting  the  risks  associ¬ 
ated  with  pirated  software  as  a  part  of  its  annual  Play  It  Safe  Day. 
To  help  you  recognize  and  avoid  pirated  software,  Microsoft  pro¬ 
vides  tips  and  resources  on  the  HowToTell.com  website. 

-Tony  Bradley  is  principal  analyst 
with  the  Bradley  Strategy  Group 


16  www.csoonline.com  May  2014 


Thinkstock 


Thinkstock 


z0 


i  NM6-20 


1 5x  -5-  Wx  n 

a.  ,  l+-~co6  a; 

Slk/  (j)  -I\  - J - 


nooja  co  6 


.a  ,  fl- cos>  a) 

(t)  -i\  — ; — 


5(2x-l).3(x+L) 


Like  Everything  Else,  Managing  Risks  Gets 
More  Complex  as  Companies  Get  Bigger 


SIZE  MATTERS  WHEN  IT  COMES  TO  SECURITY,  Ac¬ 
cording  to  Davi  Ottenheimer,  senior  director  of  trust  at  EMC.  In  April, 
he  gave  a  presentation  at  Source  Boston  called  “Delivering  Security 
at  Big  Data  Scale,”  which  began  with  the  premise  that  “as  things 
get  larger,  a  lot  of  our  assumptions  break.” 

The  promise  of  big  data  is  that  it  will  help  enterprises  make  bet¬ 
ter  decisions  and  more  accurate  predictions,  but  Ottenheimer  says 
achieving  that  goal  relies  on  placing  far  too  much  trust  in  systems 
that  are  not  well  secured.  “We’re  making  the  same  mistakes  we’ve 
made  before,”  he  says.  “We’re  not  baking  security  into  big  data, 
we're  expecting  somebody  else  to  do  it  later  on.”  Ottenheimer,  who 
is  completing  a  book  titled  Realities  of  Big  Data  Security,  says  he 
does  defense  research  and  focuses  on  avoidance  and  detection. 
“Avoidance  is  the  best  way  to  escape  a  damaging  attack,”  he  says. 
“You  can  move  data  centers  at  real-time  speeds.  You  can  keep  the 
old  one  as  honeypot  and  just  observe  what’s  going  on  with  it  with¬ 
out  causing  any  harm.  Big  data  allows  it  now  more  than  ever.” 

Detection,  he  says,  is  everywhere  around  us.  At  an  event  like  the 
Boston  Marathon,  where  catastrophic  bombings  occurred  last  year 
near  the  finish  line,  people  taking  pictures  of  their  friends  on  their 
smartphones  amounted  to  an  ad  hoc  surveillance  system.  But  Ot¬ 
tenheimer  says  the  sad  reality  of  big  data  systems,  at  least  so  far,  is 
that  analysts  don't  always  "pull  back  to  look  at  the  entire  ecosys¬ 


tem”  of  information,  and  therefore  don’t  get  an  accurate  picture  of 
the  problem. 

A  simple  example,  he  says,  was  UPS  setting  a  “no  left  turn” 
policy  for  its  drivers.  The  company  planned  to  save  time  and  money 
by  eliminating  left  turns  from  drivers'  routes.  But  the  real  problem 
wasn’t  which  way  the  trucks  turned,  it  was  that  they  were  idling 
their  engines  while  they  waited  to  turn.  “If  you  step  back  and  look 
at  the  real  source  of  harm,  you  can  deal  with  it,”  Ottenheimer  says, 
but  added  that,  again,  size  matters.  “Our  control  systems,  when 
we  grow  them,  cause  bigger  problems.”  This  also  means  “we  are 
moving  into  a  space  where  we  have  to  manage  risk  at  a  scale  we 
haven’t  seen.”  That  requires  intelligent  analysis,  he  says.  Without 
redefining  controls  and  risks,  enterprises  will  be  stuck  with  a  system 
like  the  nation’s  current  traffic-control  system.  “Stoplights  are  a 
really  bad  control  system,”  he  says,  because  they  leave  millions  of 
cars  sitting  at  intersections,  idling,  even  if  no  traffic  is  coming. 

“That’s  not  intelligent  control  at  scale.  But  now  we  are  starting 
to  have  lights  talking  to  one  another,  and  cars  talking  to  lights.” 

The  annual  savings  with  a  more  intelligent  control  system,  he  says, 
would  be  33  years  of  time,  $8  million,  and  27  fuel  tanker  trucks. 
When  it  comes  to  security,  “simple  checklists  are  good  for  simple 
things.  But  you  need  intelligent  analysis  for  things  that  are  more 
complex."  -Taylor  Armerding 


May  2014  www.csoonline.com  17 


The  Risk  of  Offshoring  Security 


OVER  THE  PAST  TWENTY  YEARS 
or  more,  corporations  in  nearly  all  indus¬ 
tries  have  been  throwing  outsourcing  into 
hyperdrive. 

Venture  capital  firms,  public  shareholders, 
financial  firms  and  corporate  executives  are 
driven  by  the  need  to  reduce  labor  expenses, 
so  they  delegate  responsibility  to  foreign  par¬ 
ties.  Often  the  money  saved  by  offshoring 
simply  goes  back  into  the  pockets  of  execu¬ 
tives  in  the  form  of  bonuses,  sometimes  in 
seven  or  eight  figures,  for  reducing  domestic 
labor  as  much  as  possible. 

But  the  costs  of  this  trend  are 
immeasurable. 

First  of  all,  with  more  and  more  people 
in  developed  countries  out  of  work,  our 
economies  are  being  destroyed.  That  problem 
isn’t  reflected  in  the  stock  market— not  yet, 
anyway.  But  it  will  be,  probably  within  the 
next  decade.  Often  the  millions  of  chroni¬ 
cally  unemployed  or  underemployed  (such 
as  those  working  at  McDonald’s  or  Wal-Mart) 
have  B.A.s,  M.A.s  or  even  Ph.D.s.  Many  others 
have  significant  licenses  and  certifications  in 
their  trades. 

A  large  percentage  of  those  people  are  in 
their  thirties,  forties  and  fifties.  They  have 
years  of  experience  in  their  areas  of  expertise, 


but  they  can’t  find  work  in  their  fields,  so  they 
collect  welfare  and  work  as  Wal-Mart  cashiers. 

Keep  in  mind  that  in  the  U.S.,  a  large  per¬ 
centage  of  workers  at  Wal-Mart,  McDonald’s, 
and  other  minimum-wage  jobs  still  have  to 
collect  welfare  and  use  food  stamps  to  sur¬ 
vive.  When  more  and  more  people  lack  the 
spending  money  to  buy  consumer  goods  and 
services,  the  whole  economy  suffers.  That 
change  became  noticeable  in  2008,  and  it’s 
only  getting  worse. 

But  our  economies  and  ordinary  citizens 
aren’t  the  only  ones  being  hurt  by  outsourc¬ 
ing,  offshoring  and  hiring  “temporary  foreign 
workers.” 

In  the  21st  century,  we’re  completely  de¬ 
pendent  on  computer  technology.  Even  your 
grandma,  who  may  not  use  a  PC,  smartphone 
or  tablet,  still  goes  to  the  bank  and  to  stores, 
both  of  which  are  managed  by  computer 
technology,  just  like  her  medical  and  govern¬ 
mental  records. 

What’s  most  alarming  is  that  IT  security  is 
also  being  offshored. 

Those  who  encourage  the  practice  claim 
that  offshoring  IT  security  frees  their  in-house 
IT  departments  from  having  to  do  mundane 
work,  so  their  labor  can  be  allocated  more 
efficiently.  And  besides,  look  at  all  the  money 


our  company  can  save! 

One  minor  comfort  is  a  Computer  Security 
Institute  study  from  several  years  ago,  which 
surveyed  479  security  executives  from  vari¬ 
ous  corporations  and  organizations  in  the 
U.S.  Sixty-one  percent  of  them  said  they’ve 
outsourced  none  of  their  security  functions. 
Twenty-two  percent  said  they've  outsourced 
up  to  20  percent  of  their  security.  Eight  per¬ 
cent  said  they’ve  outsourced  21  percent  to  40 
percent.  Ten  percent  said  they  outsourced  41 
percent  or  more  of  their  security. 

Well,  the  roughly  40  percent  who  said 
they’ve  outsourced  any  percentage  of  their 
security  is  still  worrisome. 

But  leaders  in  the  IT  security  world  who 
know  what  they’re  doing  are  too  sensible  to 
be  tempted  by  offshoring  and  outsourcing. 

Jon  Gossels,  president  of  SystemExperts,  told 
NetworkWorld,  “My  bias  is  against  it." 

Not  having  direct  access  to  your  security 
management  creates  a  massive  vulnerabil¬ 
ity.  There’s  a  new  area  of  work  in  my  industry: 
information  security  auditors  who  have  to 
dedicate  their  efforts  to  monitoring  the  secu¬ 
rity  of  third-party  security  firms.  What’s  the 
point?  Information  security  auditors  should 
be  able  to  focus  their  work  on  monitoring  just 
in-house  security  because,  except  for  penetra¬ 
tion  testing  and  third-party  compliance,  all 
security  work  should  be  done  in-house.  And 
third-party  pen  testers  and  compliance  regu¬ 
lators  should  be  domestic,  not  foreign. 

The  NSA  scandal  and  recent  news  about 
Russia  and  China  highlight  how  outsourcing 
security  or  technical  work  to  foreign  countries 
can  be  a  national  security  threat.  The  Patriot 
Act,  in  my  opinion,  is  bloody  well  useless  for 
securing  the  U.S.  Especially  considering  Amer¬ 
ica's  economic,  security  and  technological  de¬ 
pendence  on  other  countries,  some  of  which 
are  possibly  hostile-namely  China. 

Until  the  developed  world  starts  to  replace 
foreign  workers  with  domestic  workers  on  a 
significant  scale,  we’re  collectively  screwed, 
economically,  technically  and  security-wise. 

-Kim  Crawley  is  a  security  researcher 
for  the  InfoSec  Institute,  an  IT  security 
training  company  specializing  in  CCNA 
certification  training. 


18  www.csoonline.com  May  2014 


Thinkstock 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


a 

a 

a 

a 

a 

a 

a 

a 

a 


CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  three  times  a  week. 

CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

CSO  Security  Leader 

Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

CSO  Risk  Management 

A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 
prioritization  of  risks. 


Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


20  www.csoonline.com  May  2014 


How  to  Educate  Employees 
About  the  Insider  Threat 

After  Snowden,  companies  consider  what  was  once  unthinkable  by  ira  winkler  and  samantha  manke 


ONE  OF  THE  RESULTS  OF  EDWARD 
Snowden’s  data  leak  is  that  companies  are 
now  more  concerned  about  the  insider  threat 
than  ever  before.  Snowden  demonstrated 
that  a  single  employee  can  devastate  an 
organization. 

While  technology  should  have  caught 
Snowden,  his  coworkers  and  managers  should 


also  have  noticed  indications  of  his  unusual 
activities. 

The  question  then  becomes,  how  do  you 
train  employees  to  tactfully  point  out  the 
signs  of  a  malicious  insider,  without  creating 
widespread  distrust  within  an  organization? 
Back  when  I  worked  at  the  National  Security 
Agency  (NSA),  one  of  my  coworkers  showed 


me  two  documents  that  both  called  atten¬ 
tion  to  employees  who  1)  were  always  inter¬ 
ested  in  what  their  coworkers  are  doing,  2) 
volunteered  for  extra  assignments,  3)  always 
worked  late  and  4)  never  took  a  vacation.  One 
of  the  documents  was  from  human  resources 
and  explained  how  to  get  promoted.  The 
other  was  from  the  security  department  and 


Thinkstock 


described  how  to  tell  if  your  coworker  is  a  spy. 

Clearly  NSA  employees  failed  to  determine 
which  side  of  the  spectrum  Snowden  fell  on, 
while  employees  at  his  past  employer,  the 
CIA,  accurately  identified  his  predisposition 
to  expose  classified  information.  Snowden 
demonstrates  that  even  within  organizations 
that  should  know  better,  detecting  a  mali¬ 
cious  insider  can  be  hit-or-miss.  How,  then, 
is  an  organization  outside  of  the  intelligence 
community  supposed  to  make  its  employees 
aware  of  the  concern,  especially  without  in¬ 
spiring  a  witch  hunt? 

The  problem  is  real.  Malicious  insiders  have 
wreaked  havoc  in  organizations  of  all  types. 
While  the  IT  world  focuses  on  stories  of  rogue 
administrators,  insiders  in  all  roles  carry  out 
thefts  and  other  malicious  actions.  While 
some  wrongdoers  are  very  clever  and  are  able 
to  cover  their  actions  well,  the  reality  is  that 
almost  all  malicious  insiders  show  indications 
of  their  intent.  This  is  relevant  to  awareness 
programs  as  the  malicious  actors'  coworkers 
are  in  the  best  position  to  see  those  signs. 

Balancing  concerns  of  tact  and  awareness 
is  delicate,  but  it  must  be  done  to  maintain 
order.  Generally,  three  things  are  required  for 
awareness  to  be  effective:  1)  understanding 
of  the  problem,  2)  knowledge  of  what  ac¬ 
tions  to  take  and  3)  motivation  to  take  the 
appropriate  actions.  Generally,  understanding 
the  problem  should  create  motivation,  but  an 
effective  awareness  program  must  specifically 
ensure  that  it  addresses  all  three  concerns. 

You  can  be  aware  an  issue  exists  without 
being  motivated  to  do  anything  about  it. 

The  easy  part  of  addressing  the  insider 
threat  is  that  there  are  now  many  examples 
available  to  help  you  get  the  message  across. 
People  like  Snowden  and  Chelsea  Manning 
are  clear  demonstrations  that  it  only  takes 
one  person  to  cause  a  lot  of  damage.  While 
these  individuals  have  become  household 
names,  it  is  better  to  use  examples  from  your 
own  company  or  industry.  While  some  com¬ 
panies  understandably  do  not  like  to  discuss 
their  own  incidents,  they  can  anonymize  the 
cases.  The  message  is  actually  simple:  Insiders 
are  a  big  threat,  so  don’t  ignore  questionable 
behaviors. 


The  message  can  be  boiled  down  to  the  or¬ 
ganizational  equivalent  of,  “If  you  see  some¬ 
thing,  say  something."  The  message  should  be 
to  be  on  the  lookout  for  violations  of  policies 
and  procedures.  It  is  also  critical  to  remind 
employees  that  people  just  like  themselves 
have  stopped  major  insider  crimes. 

You  must,  however,  avoid  creating  a 
modern-day  Salem  witch  trial.  The  focus  of 
your  guidance  should  be  telling  employees  to 
look  for  behaviors  that  are  clear  violations  of 
policies  and  procedures.  Examples  include  ob- 

The  focus  of  your 
guidance  should  be 
telling  employees  to 
look  for  behaviors 
that  are  clear 
violations  of  policies 
and  procedures. 


serving  people  looking  through  other  people's 
desks,  asking  for  passwords,  being  in  areas 
where  they  do  not  belong,  and  attempting  to 
access  other  people’s  accounts.  There  are  also 
financial  and  other  wrongdoings  that  are  spe¬ 
cific  to  job  roles  and  industry  sector. 

A  more  delicate,  but  just  as  important,  as¬ 
pect  of  awareness  is  for  people  to  be  comfort¬ 
able  reporting  uncomfortable  feelings.  This  is 
admittedly  vague,  but  uncomfortable  feelings 
have  resulted  in  catching  malicious  insiders 
in  a  variety  of  incidents.  In  one  case  we  are 
personally  familiar  with,  an  employee  felt 
uncomfortable  that  one  of  her  coworkers  was 
speaking  Chinese  a  lot  on  the  telephone  at 
work,  and  they  did  not  work  with  any  Chinese 
people.  The  woman  reported  the  incident  and 
an  FBI  investigation  discovered  that  the  em¬ 
ployee  in  question  was  tunneling  information 
to  Chinese  intelligence  operatives. 

Everyone  violates  policies  and  procedures 
at  some  point  without  malicious  intent.  How¬ 
ever,  people  need  to  know  that  some  very 
harmful  incidents  were  stopped  because  of 
observant  employees.  Again  though,  the  focus 


is  on  reporting  incidents  and  not  on  blaming 
the  individuals  committing  the  violations.  This 
is  important  for  a  variety  of  reasons. 

The  action  that  employees  need  to  take  is 
to  simply  report  the  questionable  incidents  to 
human  resources,  their  management  or  the 
security  team.  However,  you  must  allow  for 
anonymous  reporting  and  have  strong  mea¬ 
sures  in  place  to  protect  the  identity  of  the 
employee  reporting  the  incident.  Reporting 
another  employee  can  obviously  result  in  neg¬ 
ative  consequences  for  all  involved.  Anonym¬ 
ity  is  critical  even  if  it  potentially  means  that 
it  is  impossible  to  gather  criminal  evidence. 

The  goal  is  to  detect  incidents  and  stop  the 
loss.  Most  organizations  should  already  have 
an  established  incident-reporting  structure. 
Those  that  do  not  should  consult  with  the 
legal  and  human  resources  departments  to 
create  one. 

Clearly,  when  trying  to  motivate  employees 
to  inform  the  organization  about  the  viola¬ 
tions  committed  by  other  employees,  you 
should  get  the  human  resources  and  legal 
departments  involved  in  at  least  approving 
the  awareness  materials  that  are  distributed. 
They  very  likely  will  be  able  to  provide  guid¬ 
ance  on  how  to  best  implement  other  aspects 
of  the  program  as  well. 

Snowden’s  activities  triggered  an  interest 
in  organizations  to  examine  what  technologi¬ 
cal  controls  they  can  put  in  place  to  stop  their 
own  Snowden.  Yet  much  like  the  NSA  real¬ 
ized  that  Snowden’s  coworkers  should  have 
detected  his  leaks,  all  organizations  must 
proactively  strengthen  their  non-technical 
security  measures,  including  and  especially 
awareness.  Snowden’s  coworkers  should  have 
been  more  capable  of  effectively  detecting  his 
actions  than  any  technical  countermeasure. 
Therefore,  companies  that  are  truly  interested 
in  preventing  the  insider  threat  should  focus 
on  making  their  employees  the  primary  detec¬ 
tors  of  insider  abuse. 

The  insider  threat  is  too  important  a  sub¬ 
ject  to  shy  away  from,  no  matter  how  sensi¬ 
tive  the  implications  may  be.  Unfortunately, 
history  has  shown  us  that  the  risk  is  too  great. 

—Ira  Winkler  and  Samantha  Manke  can  be 
contacted  at  www.securementem.com. 


MAY  2014  www.csoonline.com  21 


■  Lead 


Michael  Santarcangelo,  founder  of  Security  Catalyst 


TRANSLATING  SECURITY  VALUE 


When  Measuring  Security  Culture, 

Make  Sure  You’re  Using  the  Right  Metrics 


I  WAS  RECENTLY  APPROACHED  BY  A  COLLEAGUE  WHO 
wanted  to  explore  how  to  successfully  shift  security  culture,  but  the 
more  pressing  problem  is  the  need  to  measure  it. 

Building  an  effective  and  measurable  security  culture  is  becom¬ 
ing  increasingly  important,  and  what  approach  we  take  determines 
our  success.  In  a  business  setting,  culture  is  the  way  people-your  col¬ 
leagues — think,  behave  and  work. 

Developing  a  culture  of  security  traditionally  means  integrating  in¬ 
dividual  responsibility  for  protecting  systems  and  information  into  the 
expected  course  of  behavior. 

If  you’re  figuring  out  how  to  create  a  measurable  security  culture,  I 
suggest  starting  with  some  basic  measurements.  These  will  not  only 
form  the  baseline  for  your  project  but  will  also,  if  done  properly,  reveal 
the  pathway  to  systematically  introduce  the  elements  people  are  ready 
for  (or  need)  that  will  produce  the  best  value  for  individuals  and  the 
organization.  And  that  makes  the  program  more  likely  to  succeed. 


Key  Considerations  to 
Creating  A  Culture  of  Security 

Most  of  the  leaders  I  speak  with  about  shaping  security  culture  start 
with  the  assumption  that  it  necessarily  means  the  current  state  is  un¬ 
acceptable  and  requires  wholesale  change.  But  often  that’s  not  really 
true.  Sometimes  it  just  takes  a  clear  vision,  open  communication  and 
the  training  people  need  and  seek. 

instead  of  starting  with  preconceived  notions  of  what  your  culture  is 
or  what  should  be,  focus  on: 

■  Connecting  people  to  value:  their  own,  as  well  as  that  of  others  and 
the  business,  and  remind  them  how  security  helps  protect  what’s 
important 

■  Context:  finding  a  shared  understanding  of  the  current  culture 

■  Conversation:  listening  and  learning  before  telling,  building  relation¬ 
ships  that  guide  and  improve  the  overall  cultural  evolution 

Place  emphasis  on  demonstrating  what  is  expected.  Provide  people 


22  www.csoonline.com  May  2014 


Thinkstock 


Stay  Alert  with 

the  CSO  Daily  Dashboard 


The  world  of  security  is  never 
constant.  As  a  security  executive 
you  need  to  proactively  prepare 
for,  identify  and  respond  to 
security  incidents,  while  keeping 
a  pulse  on  emerging  situations. 
The  CSO  Daily  Dashboard 
provides  security  threat  alerts 
in  an  at-a-glance  format, 
creating  your  own  personal 
operations  center. 


Dashboard  alert 
topics  include: 

■  Security  News 

■  IT  Vulnerabilities 

■  Disaster  Declarations 

■  Weather 

■  World  Health  News 

And  More... 


To  access  the  tool  that  your  peers  already  rely  on, 
visit  the  CSO  Daily  Dashboard  at:  http://dashboard.csoonline.com 

CSO 


ii  Lead 


with  insights  and  opportunities  to  gain  experience  of  what  they  can 
and  should  do.  This  is  more  effective  than  telling  people  that  they 
should  do  something  solely  because  a  policy  exists. 

The  Role  of  Measurement  in  Building  the  Culture 

Focus  on  progress  over  perfection.  To  that  end,  measure  the  baseline 
and  mark  changes  from  there.  Using  those  measurements  to  inform 
next  steps  is  important. 

For  metrics  to  be  successful,  they  need  to  be: 

■  Accessible 

■  Actionable 

■  Auditable 

For  some,  this  is  a  bit  scary,  since  it  often  reveals  where  things  need 
improvement.  That's  precisely  the  reason  to  engage.  When  considering 
how  to  measure  what  matters,  you  have  to  remember  that  what  mat¬ 
ters  to  security  is  what  matters  to  the  business. 

Use  the  measurements  to  inform  the  core  elements  of  the: 

■  Problem,  which  requires  you  to  use  metrics  to  find  evidence  that 
documents  and  ideally  describes  the  real  challenge 

■  Solution,  which  requires  metrics  to  help  answer  two  key  questions 
-What  is  the  expected  outcome? 

-How  can  you  show  the  solution  has  been  implemented  or  change 
has  occurred? 

■  Proof,  by  using  metrics  to  demonstrate  the  methods,  frequency, 
work  and  value  of  the  metrics  program  itself 

Getting  Started  in  Measuring  the  Culture 

Most  people  undertake  security  awareness  in  an  effort  to  promote  a 
culture  of  security.  That's  a  good  starting  point,  but  it  generally  only 
works  when  you’re  using  the  right  definition  of  awareness  and  design¬ 
ing  the  process  or  system  to  achieve  the  single  most  important  out¬ 
come:  People  report  suspected  incidents. 

This  matters  because  it  is  the  first  step  in  guiding  a  change  in  be¬ 
haviors  and  actions.  Since  the  expected  action  is  to  report  suspected 
incidents,  the  process  of  measuring  is  a  bit  easier. 

The  initial  outcomes  to  measure  as  a  starting  point  include  measur¬ 
ing  how  many  people  report  a  suspected  incident.  Doing  this  basically 
requires  two  things: 

■  A  method  to  showcase  potential  incidents  so  people  build 
awareness 

■  Insight  into  the  incident  reporting  (not  response)  process 

This  starting  point  is  the  first  step  toward  giving  people  a  voice  and 
a  method  to  take  responsibility.  Additional  elements  that  will  give  you 
insight: 

■  How  many  incidents  are  reported  (not  making  any  distinction  be¬ 
tween  how  they’re  reported):  This  is  a  good  trend  to  capture.  Keep 
in  mind  that  some  things  are  cyclical  by  business  or  by  nature,  so 
you  should  focus  on  capturing  the  story  that  explains  the  trend. 

■  How  many  people  are  using  the  incident  reporting  process  (if  one 


exists):  This  provides  insight  into  the  efficacy  of  the  current  process 
and  may  point  toward  opportunities  for  improvement. 

■  What  type  of  incidents  are  reported:  This  is  interesting  information 
that  will  help  you  figure  out  what  people  are  spotting,  where  they 
have  natural  interests,  and  what  is  happening  in  the  network. 

■  How  many  reported  incidents  merit  action:  This  is  a  reasonable 
indicator  of  how  effective  people  are  at  spotting  actual  incidents 
versus  exercising  and  coming  to  terms  with  their  newly  found 
awareness  (and  sometimes  hyper-awareness)  as  a  result  of  chang¬ 
es  aimed  at  making  a  more  secure  culture. 

Why  These  Measurements  Help 
Create  a  Stronger  Culture 

Capturing  a  broad  measure  of  how  the  incident-reporting  process 
functions  creates  the  opportunity  to  consider  trends  and  patterns. 

At  a  minimum,  it  provides  evidence  of  what  people  see  and  do, 
even  if  what  they  do  is  as  simple  as  reporting  an  incident  to  someone 
else.  Ultimately,  the  insights  gained  from  these  measurements  direct 
activities  of  the  highest  value,  including: 

■  Improvement  of  incident  reporting:  Keep  improving  the  process  for 
better  compliance  and  usage. 

■  Better  awareness  programming  to  shape  what  people  look  for  and 
report. 

■  Training  opportunities  for  people  interested  in  taking  personal 
responsibility  and  reducing  their  reliance  on  security  for  more  com¬ 
monplace  tasks. 

As  an  added  benefit,  the  same  measurements  help  improve  the 
cycle  of  prevention,  detection  and  response.  The  measurements  pro¬ 
vide  evidence  and  context  to  reveal  the  blind  spots  and  help  you  make 
necessary  adjustments. 

Building  the  Right  Security  Culture  for  You 

The  right  security  culture  is  one  built  on  listening  and  guiding  actions 
of  mutual  benefit  through  communication  in  context.  The  key  is  to  get 
started  and  keep  it  simple. 

While  many  of  us  have  years  of  experience  and  insights  into  a 
myriad  of  security  challenges,  those  challenges  aren’t  usually  the  right 
starting  place.  Instead,  put  faith  in  people  and  seek  first  to  understand 
the  current  culture  and  capture  evidence  to  guide  people  in  areas 
where  it  makes  sense  to  improve. 

A  solid  first  step  is  to  make  sure  the  incident  reporting  process  is 
working,  before  you  even  start  worrying  about  security  awareness. 

Give  people  a  voice  and  build  their  confidence  in  using  it.  That  be¬ 
comes  a  valuable  conduit  into  what  people  see  and  do. 

People  make  the  culture.  By  connecting  people  to  the  value  of  se¬ 
curity  in  a  shared  context,  the  culture  evolves  naturally  and  success¬ 
fully  to  one  that  protects  information. 

-Michael  Santarcangelo  is  the 
founder  of  Security  Catalyst 


24  www.csoonline.com  MAY  2014 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Become  a  CSO 


You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


be 


Want  to 


in  the  know 


latest 


about  the 


security 
topics  and 
trends? 


*  Lead 


Security  Administrators  Turn  Into  Analysts 


I  RECENTLY  RETURNED 
from  Bogota  in  Colombia,  one  of 
Latin  America’s  most  signifi¬ 
cant  countries  from  a  business 
perspective. 

The  country  is  increasing  its 
relevance  as  its  economic  and  po¬ 
litical  environment  improve,  and 
it’s  building  some  controls  around 
intellectual  property  and  growing 
government  support  of  industry. 
However,  legal  maturity,  infra¬ 
structure  and  education  still  lag 
behind  other  developing  nations, 
according  to  Gartner’s  “Analysis 
of  Colombia  as  a  Offshore  Ser¬ 
vices  Location.” 

Gartner  also  mentions  that 
Colombia's  190  universities  grad¬ 
uate  about  30,000  students  with 
business  degrees  every  year,  and 
about  half  of  those  are  engineers. 
The  number  of  people  with  IT 
skills  is  increasing,  but  it’s  still  not 
enough  to  address  the  need. 

Security  Administrators 

While  I  was  in  Colombia,  it  be¬ 
came  clear  that  the  security 
administrators  of  old  are  quickly 
changing.  When  I  say  "security 


administrators,"  I  mean  the  type 
of  IT  security  professional  that 
focuses  on  tasks  like  creating  fire¬ 
wall  and  VPN  rules,  maintaining 
endpoint  security  controls  and 
keeping  the  security  infrastruc¬ 
ture  running. 

The  skills  required  to  be  a  se¬ 
curity  administrator  are  quickly 
becoming  tasks  associated  with 
junior  security  staff.  They  are  con¬ 
sidered  the  basics  that  every  se¬ 
curity  practitioner  needs  to  know. 

In  Bogota,  many  folks  I  talked 
to  said  that  security  administra¬ 
tion  was  once  the  entirety  of  their 
security  program.  But  in  the  past 
year  or  two,  they’ve  had  to  adjust 
to  accomodate  the  changing 
threat  landscape  and  trend  to¬ 
ward  using  security  to  empower 
rather  than  slow  the  business. 
They’ve  had  to  invest  in  more 
advanced  security  training  for 
their  staff  and  in  incident  detec¬ 
tion  and  response  tools,  and  they 
modified  their  security  programs 
to  focus  more  on  prevention,  de¬ 
tection  and  response,  not  simply 
preventative  controls  like  fire¬ 
walls  and  antivirus. 


Security  Analysts 

Many  of  the  security  practitioners 
I  spoke  to  considered  themselves 
security  analysts  already  or  were 
working  to  achieve  this  desig¬ 
nation.  Part  of  this  was  for  job 
security,  but  partly  it's  the  nature 
of  security-there's  always  a  new 
challenge  to  embrace,  a  new 
technique  to  learn,  and  new  tech¬ 
nology  to  master.  This  constant 
change  is  want  attracts  most  of 
us  to  this  career  to  begin  with. 

These  people  all  spent  time 
as  security  administrators  at  one 
point  but  have  now  moved  on 
to  what  they  consider  more  ad¬ 
vanced  tasks,  such  as: 

■  Responding  to  incidents 

■  Dissecting  malware 

■  Investigating  suspicious  insider 
activity 

■  Pushing  the  limits  of  log  cap¬ 
ture  and  packet  capture  for 
analysis 

■  Integrating  disparate  products, 
vendors  and  intelligence  feeds 
to  improve  effectiveness 

Closing  the  Gap 

The  largest  driver  toward  more 
advanced  security  practices 
seems  to  be  the  problem  of  "gap.” 
There  is  a  growing  gap  between 
the  time  it  takes  for  an  organi¬ 
zation  to  be  compromised  and 
the  time  it  takes  to  detect  and 
mitigate  that  compromise.  Many 
studies  indicate  that  an  organi¬ 
zation  can  be  compromised  in 
hours,  but  most  don’t  discover  it 
for  months. 

This  gap,  often  called  the 
“threat  window,”  is  simply  too 
large.  Trying  to  address  it  with 
the  technology,  talent  and  tech¬ 


niques  associated  with  security 
administration  is  fighting  today’s 
war  with  yesterday’s  technol- 
ogy-it's  futile. 

In  Bogota,  even  with  extremely 
limited  resources,  they  are  adjust¬ 
ing  to  avoid  being  too  focused  on 
preventative  controls  and  secu¬ 
rity  administration,  and  are  now 
adopting  incident  detection  and 
response  programs  staffed  with 
security  analysts. 

Unfortunately,  there  aren’t 
enough  people  with  the  skills 
to  run  these  programs,  and  so 
companies  are  moving  quickly  to 
rectify  this.  Some  steps  they’re 
taking  include: 

■  Consultants:  third-par¬ 
ty  security  analyst  staff 
augmentation 

■  Outsourcing  security  adminis¬ 
tration  to  a  managed  security 
service  provider  so  the  limited 
staff  can  focus  on  analysis  in¬ 
stead  of  administration 

■  Analyst  certifications  and 
training 

■  Investing  in  incident  detection 
and  response  technologies 

■  Engaging  in  hacker  competi¬ 
tions:  One  telecommunica¬ 
tions  firm  I  talked  with  offers 
an  internal  hacker  challenge  to 
employees  with  a  cash  prize  to 
keep  their  security  team  sharp. 
I’m  curious  to  know  what  other 

organizations  are  doing  to  ensure 
that  their  technology,  talent  and 
techniques  are  ready  for  today's 
threat  landscape  and  how  they 
are  minimizing  the  gap. 

-Brian  Contos,  VP  and  CISO 
at  Blue  Coat's  Advanced  Threat 
Protection  Group 


26  www.csoonline.com  May  2014 


Pedro  Szekely/Flickr 


Four  Pillar  Research  from  Just  One  Company 


Big  Data/Analytics 


Albert  Einstein  did  and  so  do  we. 

Our  global  research  team  covering  big  data  and  analytics  advises  organizations  around  the  world  on  how  they  can 
move  toward  more  data-driven  decision  making  through  an  effective  big  data  and  analytics  strategy.  We  can  help 
you  address  some  of  the  most  pressing  business  and  technology  decisions  by  helping  you: 

•  Assess  your  current  big  data  and  analytics  competency  and  maturity 

•  Benchmark  your  big  data  and  analytics  strategy  against  your  peers’ 

•  Evaluate  big  data  and  analytics  technology 

•  Short-list  your  big  data  and  analytics  suppliers 


idc.com/itexecutive 


Analyze  the  Future 


Cover  Story 


More  CISOs  are  embracing  new  career  paths 
within  the  industry  By  George  V.  Hulme 


F  WE’RE  LUCKY,  WE’LL  ALL  HAVE  A  CHANCE 
once  in  our  careers  to  take  a  risk  and  use  our  skills  and 
experience  to  do  something  we  truly  love.  Sometimes  the 
career  risk  is  low,  but  sometimes  it’s  truly  a  leap  of  faith — 
one  that  offers  potentially  big  rewards  as  well  as  the  risk 
of  major  setbacks. 

Tammy  Moskites  took  one  such  leap  of  faith.  The  for¬ 
mer  Time  Warner  Cable  CISO  had  plenty  of  experience  at  traditional 
enterprises,  including  The  Home  Depot,  Huntington  National  Bank, 
Nationwide  and  Aetna.  And  when  she  got  word  that  there  would  soon 
be  a  major  restructuring  Time  Warner  C  able,  she  realized  that  her  role 
as  CISO  would  be  eliminated. 

Forewarned  of  her  upcoming  unemployment,  Moskites  went  on 
the  lookout  for  new  opportunities,  and  decided  to  do  something  com- 


28  www.csoonline.com  MAY  2014 


Roger  Ball 


Cover  Story 


pletely  different.  During  a  conversation  with  Jeff 
Hudson,  CEO  at  certificate  and  encryption  key  se¬ 
curity  firm  Venafi,  she  temperature-checked  the 
idea  of  moving  from  being  a  security  executive  for 
an  the  enterprise — a  role  she  had  always  played— 
to  working  on  the  vendor  side  of  the  business.  “I 
know  my  role  is  going  to  get  eliminated  with  the 
restructuring,  and  I’m  very  excited  about  the  op¬ 
portunity  to  possibly  make  a  move  to  the  vendor 
side,”  she  said  to  Hudson. 

“He  kind  of  laughed  at  me,”  Moskites  explained 
months  after  the  fact.  “And  he  then  asked,  ‘Are 
you  serious?’” 

She  was.  And  Hudson  took  her  up  on  her  offer. 

We  are  seeing  more  CISOs  take  chances  today, 
and  now  that  there’s  near  zero  unemployment  for 
seasoned  security  managers,  it  seems  there  is 
plenty  of  wiggle  room  for  them  to  do  so.  Those 
who  have  been  in  security  for  a  decade  or  more 
have  usually  built  security  programs  from  scratch. 
They’ve  helped  organizations  recover  from  breach¬ 
es.  They’ve  mentored  new  professionals.  They’ve 
seen  what  works  well  and  what  doesn’t.  And  now 
they  are  ready  to  try  new  things. 

Moskites  is  not  entirely  new  to  the  vendor  side, 
as  she  also  sits  on  the  board  of  advisers  for  Box 
and  Qualys.  And  if  you  talk  to  her  for  5  minutes, 
you  can  tell  she’s  not  only  passionate  about  the  op¬ 
portunity,  but  also  a  believer  in  the  need  for  more 
secure  treatment  and  management  of  certificates 
and  encryption  keys. 

“Three  out  of  every  four  organizations  don’t  have 
security  processes  in  place  to  manage  the  SSH 
keys,”  she  says.  “Once  these  keys  are  in  place,  they 
remain  in  place  forever.  It’s  a  huge  risk.” 

Many  of  the  same  motivations  inspired  Eric 
Cowperthwaite  to  recently  leave  his  CIS O  position 
at  Providence  Health  and  Services  to  join  Core  Se¬ 


curity  as  vice  president  of  advanced  security  and 
strategy.  Cowperthwaite  had  been  CISO  at  Provi¬ 
dence  Health  and  Services  for  seven  years. 

“I  hope  to  bring  my  experience  as  a  CISO  to  the 
vendor  community,  and  to  instill  some  sense  of  the 
difficulties  of  the  CISO’s  job  and  how  to  best  help 
them  and  what  they’re  trying  to  do,”  he  says. 

“I  think  the  trend  is  for  more  of  us,  when  we  find 
something  that  we  really  believe  in,  to  use  that  as 
an  opportunity  to  go  out  and  talk  to  our  peers  and 
help  educate  them  about  why  we  are  so  passionate 
and  how  it  can  help  them,”  Moskites  says. 

However,  Cowperthwaite  wasn’t  completely 
sanguine  about  making  such  a  big  jump.  “I  did  not 
want  to  be  perceived  as  selling  out.  From  my  per¬ 
spective,  it’s  genuinely  about  finding  what  I  think 
is  a  very  innovative  set  of  intellectual  property 
that  can  help  drive  organizations  to  a  more  secure 
place,”  he  says. 

Cowperthwaite  was  also  concerned  that  he 
might  have  trouble  getting  the  ear  of  the  engineer¬ 
ing  team  at  Core,  which  he  needs  to  do  to  discuss 
market  needs.  “Would  I  actually  be  able  to  be  a 
voice  of  the  market  into  engineering?  That’s  an 
extremely  important  thing.  Engineeringteams  are 
smart  as  hell,  but  they  rarely,  if  ever,  know  what 
it’s  like  to  be  a  practitioner.  I  think  it’s  important 
to  rejuvenate  vendors  with  people  who  know  what 
it’s  like  to  be  a  practitioner,”  Cowperthwaite  says. 

None  of  this  surprises  Stan  Black,  CISO  at 
Citrix  Systems.  Black  says  that  hiring  managers’ 
demand  for  experienced  security  professionals  is 
quite  high.  “They’re  looking  for  people  who  have 
actually  made  some  mistakes  and  worked  in  large- 
scale  environments,  those  that  have  credibility  and 
can  talk  about  any  topic,”  he  says. 

And  what’s  in  store  for  those  CISOs  that  decide 
to  move  to  the  vendor  side  of  the  industry?  Black 


“I  think  the  trend  is  for  more  of  us,  when  we 
find  something  that  we  really  believe  in,  to  use 
that  as  an  opportunity  to  go  out  and  talk  to 
our  peers  and  help  educate  them  about  why  we 
are  so  passionate  and  how  it  can  help  them.” 

-TAMMY  MOSKITES,  VENAFI 


30  www.csoonline.com  May  2014 


“Engineering  teams  are  smart  as  hell,  but  they  rarely, 
if  ever,  know  what  it’s  like  to  be  a  practitioner.  I 
think  it’s  important  to  rejuvenate  vendors  with 
people  who  know  what  it’s  like  to  be  a  practitioner.” 

-ERIC  COWPERTHWAITE,  CORE  SECURITY 


says  their  new  positions  may  be  quite  rewarding, 
offering  many  new  hats  that  enterprise  CISOs 
don’t  not  typically  get  to  wear.  And  he  would  know: 
Black  has  considerable  experience  working  as  a 
CISO  at  numerous  software  and  security  vendors, 
including  EMC,  RSA  and  Nuance,  before  joining 
Citrix  this  fall. 

However,  before  making  his  most  recent  move, 
Black  established  a  set  of  criteria  for  any  position 
he  chose.  “I  knew  I  didn’t  want  to  report  to  the  CIO 
ever  again.  And  I  wanted  join  a  company  that  pos¬ 
sessed  four  key  traits:  They  had  to  have  integrity, 
a  positive  culture,  a  heritage  in  technology,  and  a 
strong  vision.  I  love  working  with  technology,  per¬ 
sonally.  It’s  something  I  really  enjoy  and  has  to  be 
a  big  part  of  what  I  do,”  he  says. 

In  his  position  at  Citrix,  Black  reports  to  the 
COO,  who  is  also  the  CFO.  “I  am  truly  enabled 
to  do  my  job.  And  to  put  my  foot  down,  when  it  is 
appropriate,  to  protect  our  company  and  our  cus¬ 
tomers,”  Black  says. 

It’s  quite  a  challenge  to  help  Citrix  develop  its 
products  securely,  keep  its  customers  secure  and 
keep  the  company  itself  secure,  but  Black  also  finds 
it  quite  rewarding.  “In  addition  to  being  the  corpo¬ 
rate  CISO,  I  provide  oversight  for  Citrix  products, 
where  my  job  essentially  is  to  define  one  frame¬ 
work  and  one  set  of  standards  and  get  everybody 
on  board  with  a  common  vision,”  he  says. 

To  achieve  these  goals,  Black  says  that  he  has 
to  engage  with  many  aspects  of  the  business,  in¬ 
cluding  sales,  marketing,  internal  audit,  design, 
engineering  and  business  leaders.  “It’s  more  of  a 
question  of  who  don’t  I  work  with,”  he  says. 

When  it  comes  to  internal  Citrix  security,  Black 
works  closely  with  the  physical  security  and  safety 
teams.  “We’re  running  a  converged  security  pro¬ 
gram,  and  the  person  that  runs  that — the  physical 
side  and  the  safety  side — we’re  working  incredibly 


well  together  and  we’re  merging  our  two  worlds 
together  so  we  have  visibility  into  our  entire  supply 
chain:  products,  services,  people  and  data.” 

Given  CISOs’  ability  to  add  value  to  all  those 
critical  areas,  it’s  no  surprise  to  learn  security  ven¬ 
dors  are  snapping  them  up. 

“Security  companies  often  don’t  realize  that  their 
products  aren’t  doing  what  security  people  need. 
I  have  sales  people  calling  me  constantly  saying, 
‘This  widget  will  make  you  more  secure.  You  don’t 
understand  how  important  this  is  to  you.’  Most  of 
the  time  they  don’t  have  a  clue  what  is  important 
to  me,”  Black  says. 

But  that’s  exactly  the  kind  of  value  that  both 
Cowperthwaite  and  Moskites  hope  to  provide  to 
their  new  employers. 

“Vendors  need  to  hear  the  honest  truth  and  help 
them  understand  practitioners.  They  really  do.  The 
fact  that  there’s  this  chasm  between  vendors  and 
practitioners  and  nobody  trusts  each  other  across 
this  chasm  is  unacceptable.  There  is  immense  dis¬ 
trust  across  that  boundary,”  Cowperthwaite  says. 
“If  I  can  help  them  breach  that  boundary  and  es¬ 
tablish  more  trust,  then  I’d  consider  the  mission 
a  success.” 

Helping  to  build  that  trust,  both  with  the  ven¬ 
dor  community  and  within  the  company’s  own  in¬ 
frastructure,  was  one  of  the  things  that  attracted 
Moskites  to  her  new  position — plus  she  still  gets 
to  do  what  she’s  always  done  as  CISO.  “I  am  still 
a  security  officer  at  Venafi.  I’m  still  doing  the  day- 
to-day  securing  of  the  company,  writing  security 
policies  and  procedures,  but  on  a  much  smaller 
scale  than  at  Time  Warner.  But  only  now  as  part  of 
my  job  I  actually  talk  to  people  about  things  that 
I’m  passionate  about.  And  that’s  very  cool.” 


■  George  V.  Hulme  is  a  freelance  security  and  technol¬ 
ogy  writer  based  in  Minnesota. 


May  2014  www.csoonline.com  31 


Spring  Cleaning 

Spring  has  sprung,  and  it’s  the  perfect  time  of  year  to 
freshen  up  your  security  program!  Here  are  some  ideas  on 
what  to  ditch  and  what  to  dust  off  in  your  office. 


Declutter:  Your  workspace  by  ditching  your 
current  password-management  system.  Let  the 
NSA  manage  your  passwords  for  you  instead! 


4 


Dust  off:  Your  old 
IBM  5150  PC.  This 
classic  can  bring 
you  back  to  the 
days  when  securing 
machines  was 
much  simpler. 
No  Internet 
connection! 


32  www.c800nline.com  MAY  201 


Throw  out:  Your 
BYOD  policy. 

You  know 
employee- 
owned  devices 
and  habits 
are  always 
changing 
anyway,  so  it’s 
time  to  write 
a  new  one. 


Dust  off:  Your  childhood  Etch- 
a-Sketch.  No  need  for  a  DLP 
plan  with  this  tablet-just  shake 
away  sensitive  information! 


See  the  latest 
CSOonline.com  articles, 
ask  questions  and  share 
your  expertise  with  your  peers 
and  CSO’s  editors  on  Twitter, 
Linkedln  and  Facebook. 


©  JOIN 

OLI 


Four  Pillar  Research  from  Just  One  Company 


ii 


Social 


Understand  the 


impact  of  breaking 

SOCIAL  barriers. 


Alexander  Graham  Bell  did  and  so  do  we. 


Our  global  research  team  covering  social  advises  organizations  around  the  world  on  how  they  can 
increase  collaboration  through  an  effective  social  strategy.  We  can  help  you  address  some  of  the  most 
pressing  business  and  technology  decisions  by  helping  you: 


•  Assess  your  current  social  competency  and  maturity 

•  Benchmark  your  social  strategy  against  your  peers’ 

•  Evaluate  social  technology 

•  Short-list  your  social  suppliers 


idc.com/itexecutive 


*IDC 

Analyze  the  Future 


